IAR Information Center for Arm

Important information
New features
Known problems
Program corrections
User guide corrections
Miscellaneous
Release history

Important information

None.

New features

MISRA C:2023 support
MISRA C:2023, also known as MISRA C Third Edition, Second Revision, is now supported. It incorporates MISRA C:2012 amendments 2 (AMD2), 3 (AMD3) and 4 (AMD4), plus technical corrigendum 2 (TC2).

Note: To keep compatibility with existing projects, all MISRA C:2023 rules that also exist in MISRA C:2012 with amendment 1-4, will use the MISRA C:2012 rule identifiers, i.e. the MISRAC2012 prefix will still be used. Example: MISRAC2012-Rule-7.6.
Other new checks
- SWITCH-missing-enum-val checks that if enumeration symbols are used in a switch statement, all symbols in the enumeration are listed in the case statements. This is regardless whether there is any default or not.
- RED-unused-enum-val checks if there are enumeration symbols that are not used anywhere in the code.
SARIF support
A new option to icstat, --sarif_dir directory has been added. If this option is provided, icstat creates a SARIF file in the specified directory. The filenames depend on the analysed files. For example, the result of analyzing main.c is stored in main.c.sarif in the specified directory.

The option cannot yet be used from within the graphical IDE environment, which still uses a proprietory format. It can only be used from a command line environment.
User comments on suppressed checks
When a check is suppressed using C-STAT directives in comments, you can now supply a comment/justification for disabling the check by adding a colon : after the suppression statement. Any text from there will be inserted in the report as User comment. In C-style comments, everything from the : and forward until */ is part of the justification. More lines can be added to the comment by starting consecutive comments with cstat :. Note that the space before : is mandatory.

Examples
```
      /*cstat !RED-unused-enum-val (this is not part of output) : This will be in the report,
      the text continues until */

      //cstat !RED-unused-enum-val : We can have
      //cstat :more lines of text
      //cstat :like this
      // Any other comment will only be in the code.

      // It can be used to suppress a suppression, typically temporary.
      //cstat : !RED-unused-enum-val
      // For now we do not suppress here as the line starts with `:`.
    
```

Known problems

[CSTAT-732, EWARM-10889] A division by zero is not detected for members of struct and unions as denominators.
[EWARM-5208, EW25597] An implicit conversion from an unsigned variable to a smaller unsigned variable results in C-STAT message regarding ATH-overflow. If the unsigned variable had previously overflowed due to subtraction (rolled over to MAX) the message will state that the range of the unsigned variable is negative. Workaround: Adding a cast to create an explicit conversion resolves the message and therefore the bug is not induced.
[EWARM-5201, EW25582] A while or for loop that does not terminate causes C-STAT to not check for an array index becoming out-of-bounds properly.
[CSTAT-839] C-STAT check CERT-EXP33-C_a does not give a warning for uninitialized variables in function calls if they are passed by address. This is by design.
[CSTAT-795] C-STAT may fail to discover memcmp use on null terminated strings if uninitialized data is used for one argument.
[CSTAT-794] C-STAT misses assignment info for local static variables causing false positives for rule MISRAC2012-Rule-8.9_a.
[CSTAT-793] C-STAT does not discover if a local variable address is stored in a global struct member.
[CSTAT-791] C-STAT may fail to discover misuse of unions if they are nested into structs.
[CSTAT-790] C-STAT may fail to discover the use of uninitialized array memory if accessed through a pointer.
[CSTAT-789] C-STAT does not take persistent side effects into account when checking for undefined evaluation order.
[CSTAT-786] C-STAT fails to discover array allocation (new[]) into unique_ptr.
[CSTAT-785] C-STAT may fail to discover a mixed array access in a function call if pointer arithmetic is used instead of iterators.
[CSTAT-783] C-STAT may fail to discover a test against zero for a variable used as a divisor.
[CSTAT-781] C-STAT does not recognize volatile access as a side effect.
[CSTAT-780] C-STAT fails to discover conversion between pointer type and an integral type.
[CSTAT-779] C-STAT only checks rule MISRAC2012-Dir-4.7 for malloc.
The rule suggests that there is some way to enumerate functions that can be expected to return error status. C-STAT does not have any such mechanism.
[CSTAT-777] C-STAT fails to discover when there is no default clause in a switch statement.
[CSTAT-776] C-STAT may fail to discover dead code after break or exit() statements.
[CSTAT-774] C-STAT fails to discover implicit type conversions in switch statement case labels.
[CSTAT-773] C-STAT fails to discover functions declared in block scope, if an out of block declaration exists.
[CSTAT-772] C-STAT may fail to discover octal constants in character and string literals.
[CSTAT-771] C-STAT may fail to discover arithmetic that uses plain char variables or values.

Program corrections

In CSTAT 2.7.2
[CSTAT-836, EWARM-12781] In messages related to one or more of the checks MISRA2012-Rule2.2_c, MISRAC++2008-0-1-6, and RED-unused-val, the lines identified as problematic in the source file might be wrong.
When an assignment in the source file is made redundant by a subsequent assignment, the C-STAT message might identify the line of the later assignment as the problem instead of the original redundant one.
[CSTAT-823, EWARM-12251] C-STAT rule MISRAC2012-Rule-8.5_b does not generate any message if declarations are on the same line number.
[CSTAT-812, EWARM-12080] C-STAT may fail to discover the use of uninitialized array memory if accessed using one of the operators += or -=.
[CSTAT-797, EWARM-11832] Range-based for loops in C++ triggers false positives for rules MISRAC++2008-5-0-15_a and MISRAC++2008-7-1-1.
[CSTAT-768, EWARM-11728] C-STAT might report false positives when checking the rule LIB-memcpy-overrun-pos.
In CSTAT 2.7.2
[CSTAT-844] C-STAT gives a false positive for rule CERT-FIO47-C_b when scanf and related input functions are used with char* variable for %s and char variable for %c.
In CSTAT 2.7.2
[CSTAT-842] C-STAT rule CERT-STR30-C fails to identify when memchr is used on a string constant.
In CSTAT 2.7.2
[CSTAT-840] When the /= and %= operators are used, C-STAT rule CERT-INT32-C_b fails to identify overflows.
In CSTAT 2.7.2
[CSTAT-838] When the value on the left hand in a shift is essentially a signed char, C-STAT rule MISRAC2004-12.8 fails to identify whether the right-hand arguments are too large.
Note: The correction of this bug can cause a number of new messages if code like this is used: 1 << N, where N > 7. Such code needs to be written 1UL << N to avoid shifting an essentially 8-bit value. Because a compiler will silently promote it to int, the resulting code will be correct, but C-STAT will complain if these constructions are not rewritten.
In CSTAT 2.7.2
[CSTAT-837] Rules MISRAC2004-1.2_b, MISRAC2012-Rule-9.1_d, SPC-uninit-struct-field, and CERT-EXP33-C_e fail to identify when a struct variable with an uninitialized field is passed by value to a function.
In CSTAT 2.7.2
[CSTAT-833] In messages related to one or more of the checks MISRA2012-Rule2.2_c, MISRAC++2008-0-1-6, and RED-unused-val, the lines identified as problematic in the source file might be wrong.
When an assignment in the source file is made redundant by a subsequent assignment, the C-STAT message might identify the line of the later assignment as the problem instead of the original redundant one.

User guide corrections

None.

Miscellaneous

None.

Release history

V9.50 2023-11-28

Program corrections

[CSTAT-766, EWARM-11602] Analyzing code that contains calls to the memcpy function can in some situations cause C-STAT to crash.
[CSTAT-759, EWARM-11477] The pass and fail code examples for the CERT-STR32-C check in the C-STAT® Static Analysis Guide are incorrect.

New features

MISRA C:2012 Amendment 3
The Static Analysis tool C-STAT has extended its coverage of the MISRA C:2012 Coding Standard and now fully supports MISRA C:2012 Amendment 3. This Amendment adds one new directive and 23 new rules, as well as revising a number of existing guidelines and supporting material.

V9.40 2023-05-24

Program corrections

In EWARM 9.40.2
[CSTAT-763, EWARM-11556] If a variable is never used after an assignment, the C-STAT checks MISRAC2012-Rule-2.x fail to detect this if postfix or prefix operators were used for the assignment.
In EWARM 9.40.2
[EWARM-11526, TPB-3802] The check COP-member-uninit does not take delegating constructors into account.
In EWARM 9.40.2
[CSTAT-757, EWARM-11484] The check CERT-STR32-C produces false positives for global constants.
In EWARM 9.40.2
[CSTAT-756, EWARM-11483] The check CERT-STR32-C reports false positives when strings are returned from functions.
In EWARM 9.40.2
[EWARM-11480, TPB-3799] Running C-STAT from the command line in combination with the C-RUN option --runtime_checking for the compiler, and using any of the _as C-RUN specific operators in your source code, can cause C-STAT to emit an internal error.
[CSTAT-741, EWARM-10987] The message for a deviation from the check MISRAC2012-Rule-20.1 might be repeated multiple times for the same source code line.
[EWARM-10966, TPB-3748] A lambda expression that only has this in its capture list can cause C-STAT to crash.
[EWARM-10647, TPB-3715] Some pragma directives can trigger an internal error if they are placed at specific locations in the source code. This internal error only occurs when running a C-STAT analysis. An example is:
```
        
            int a = 0
        #pragma cstat_disable = "MISRAC2012-Rule-1.3_a"
            ;
```
Placing the pragma on the line above the definition or after the ; avoids the internal error.

New features

None

V9.32 2022-12-13

Program corrections

In EWARM 9.32.2
[CSTAT-733, EWARM-10894] Functions in <math.h> are not considered to be able to set errno. This can lead to false positives in the CERT-ERR30-C_c check.
In EWARM 9.32.2
[CSTAT-731, EWARM-10819] The MISRAC2012-Rule-10.1_R2 check does not correctly identify the underlying type of the entity pointed to by a pointer in a struct. This might lead to false positive messages regarding expressions having a non-boolean type.
In EWARM 9.32.2
[CSTAT-729, EWARM-10776] C-STAT gives a false positive for MISRAC2012-Rule-9.2 when multi-dimensional character array variables are fully initialized using strings.
In EWARM 9.32.2
[CSTAT-728, EWARM-10726] Suppressing a link analysis check does not work unless all identical checks are suppressed as well, even if they are not enabled.
In EWARM 9.32.2
[CSTAT-723, EWARM-10661] The description of MISRAC2012-Rule-15.7 in the C-STAT® Static Analysis Guide is less descriptive than the corresponding message.
In EWARM 9.32.2
[CSTAT-714, EWARM-10627] The MISRAC2012-Dir-4.13_a and MISRAC2012-Rule-1.3_l checks are missing.
In EWARM 9.32.2
[CSTAT-713, EWARM-10625] The implementation for MISRAC2012-Rule-12.4 is missing, even though it is identical to EXPR-const-overflow, MISRAC++2008-5-19-1, and MISRAC2004-12.11.
In EWARM 9.32.2
[CSTAT-712, EWARM-10626] The MISRAC2012-Rule-10.1_R1 check is missing in the C-STAT manual.
[CSTAT-711, EWARM-10616] Calling a function via a function pointer is not considered to be a side-effect.
[CSTAT-710, EWARM-10575] If the check MISRAC2004-8.1 is enabled, the link analysis will also incorrectly enable the link analysis checks MISRAC2004-8.10 and MISRAC2012-Rule-8.7 even if they are not selected. The link analysis result will in that case not show the names of the checks.
[CSTAT-704, EWARM-10477] The checks CERT-INT30-C_a and CERT-INT30-C_b generate false positives when both sides of an arithmetic expression are of smaller size than the common real type (as described by the usual arithmetic conversion rules), or when the result can be calculated to fit in a value of the common real type.
[CSTAT-702, EWARM-10469] The check RED-unused-assign-struct-field, which is referred to in the C-STAT Static Analysis Guide, does not exist.
[CSTAT-703, EWARM-10468] In some cases, the line numbers referred to in the message for MISRAC2012-Rule-2.2_b can be incorrect.
[CSTAT-701, EWARM-10462]
The MISRAC2012-Rule-16.3 will generate a message regarding a missing break statement as the last statement inside a case label, if the case label has a compound statement and the break statement is placed outside of it. For example:
```
        
        case 42:
          {
            // code
          }
          break;
        default:
        // more code
            
```
[CSTAT-700, EWARM-10461] The check MISRAC2012-Rule-10.1_R2 does not correctly identify the underlying type of an array of pointers or a pointer to an array. This might lead to false positive messages regarding expressions having a non-boolean type.
[CSTAT-699, EWARM-10434] Using a C-style cast on a parameter in a function call will not generate a message for the checks CAST-old-style or MISRAC++2008-5-2-4.
[CSTAT-695, EWARM-10376] The MISRAC2012-Rule-1.4_a check is not displaying a Severity value in the C-STAT Messages window.
[CSTAT-696, EWARM-10338] MISRAC2012-Rule-8.13 generates false positives for cases where a pointer pointing to a non-const qualified type is copied to another pointer, that points to a non-const qualified type.

New features

None

V9.30 2022-06-02

Program corrections

[CSTAT-685, EWARM-10014] If the analyzed translation unit contains an impure function, the MISRAC2012-Rule-8.13 check will never generate any messages.
[CSTAT-684, EWARM-9995] The check MISRAC2012-Dir-4.8 will incorrectly produce a message saying that the implementation of a struct or union should be hidden if there exists a pointer to it that is not dereferenced, even if there exists another pointer that is dereferenced.
[CSTAT-677, EWARM-9901] Having an array with implicit size as a function parameter can cause MISRAC2012-Rule-8.3 to signal that there is a mismatch in types between the function declaration and the definition, even when they are identical.
[CSTAT-678, EWARM-9893] Using C++17 if constexpr statements can lead to incorrect messages in the body of the if statement.
[CSTAT-673, EWARM-9847] Having infinite loops in a function can cause parameters to get incorrect properties (such as, for instance, whether they are dereferenced or freed).
[CSTAT-666, EWARM-9714] When re-analyzing a source file where only the body of a function has changed, any potential function calls it made on the prior analysis run are not removed from the database. This can lead to incorrect interval analysis of the callee's parameters. For example:
```
        static int foo(int x) {
          return 1/x;
        }
        static void bar() {
          foo(0);
        }
        
```
On the first analysis run, this will produce a message regarding division by zero. However, even if the function call is changed to foo(1) and a re-analysis is performed, it will still produce a division by zero message.

New features

None

V9.20 2021-11-02

Program corrections

In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-651, EWARM-9623] Using an integer constant as a template argument can, in some cases, incorrectly cause C-STAT to interpret them to be of unsigned type, when they are in fact of signed type.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-650, EWARM-9613] C-STAT does not identify write operations on union fields when the field is a struct. This can make C-STAT miss cases where a union variable initializes one field and afterwards reads from another, which is a violation to UNION-type-punning and MISRAC2004-12.12_a.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-645, EWARM-9593] When determining the underlying type of an expression, C-STAT can report incorrect information when the expression contains C++ references.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-644, EWARM-9592] In C++ code, calling a non-const class method with a non-const parameter generates a message incorrectly claiming that the parameter should be const-qualified.

In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-643, EWARM-9591]

MISRAC++2008-5-0-4 can incorrectly generate a message regarding implicit conversion of nullptr. For example:

        void ex() {
          int *p;
          if (nullptr == p); /* Implicit conversion of integer expression `0' from signed
              8-bit int to unsigned 8-bit int changes the signedness of the underlying */
          type
        }

In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-640, EWARM-9582]

The MEM-stack-param check generates a message when a local pointer is aliased to a global variable via a function call. This code snippet will for example generate a message:

        char g[10];
        void f(char ** const pp) {
          char *p = g;
          *pp = p; // Parameter 'pp' aliased to global 'g'
        }
        void f3(char ** const pp) {
          char *p;
          f1(&p);
          *pp = &p[0]; // 'p' no longer reference a stack address
        }

In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-638, EWARM-9557]
MISRAC2012-Rule-5.1 generates a message regarding identifier collision when one of the identifiers is declared as weak.
```
        /*file1.c*/
        __weak void foo() {}
        /*file2.c*/
        void foo() {} 
```
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-637, EWARM-9554] The RED-no-effect check can generate a message on implicitly declared C++ constructors and move assignments.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-636, EWARM-9541] MISRAC2012-Rule-10.3 incorrectly interprets the expression {1} to have essential type signed int instead of array of signed int.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-635, EWARM-9506] Using the comment directive #tag to suppress checks on a C++ source file can trigger an internal error in C-STAT.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[EWARM-9462, TPB-3576] C-STAT does not recognize the C++17 attribute [[fallthrough]] or the GNU/Clang __attribute__((fallthrough)).
In EWARM 9.20.3-FS
In EWARM 9.20.4
[EWARM-9410, TPB-3570] Using certain string literals (such as "¦íªº") can cause C-STAT to exit with an internal error.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[EWARM-9408, TPB-3569] C-STAT generates an error message gcfe failed: unknown stmt kind=2 if the C++17 if constexpr construct is used.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-626, EWARM-9320]
The size of arrays declared with typedefs might be incorrectly estimated if they are used in structs, as in this example:
```
        typedef char ARR[8];
        typedef struct {
          ARR arr;
        } S;
        
```
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-625, EWARM-9319]
MISRAC2012-Rule-10.3 generates a message regarding incompatible essential types for the following array initialization:
```
        unsigned int arr[3] = {1U, 2U, 3U};
        
```
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-624, EWARM-9318] Boolean expressions that are explicitly cast to a non-Boolean type are still considered to be of Boolean type.
In EWARM 9.20.3-FS
In EWARM 9.20.4
[CSTAT-623, EWARM-9317] For some buffer overrun related checks, C-STAT might estimate the size of array elements incorrectly when the elements are of pointer or array type.
[CSTAT-618, EWARM-9163] When running a C-STAT analysis in parallel, if the number of processes selected is higher than the amount of enabled link analysis checks, potential link analysis messages might fail to be displayed in the C-STAT Messages or the Build windows.
[CSTAT-617, EWARM-9149] The check MISRAC2012-Rule-8.13 generates a message claiming that function pointers should be declared as const when they are not copied or modified.

[CSTAT-612, EWARM-9055]

The link analysis can report erroneous messages regarding symbol conflicts for the same header file, if it is included more than once but with different casings.

        === foo.h ===
        typedef enum tagFoo { BAR } Foo;
        === file1.cpp ===
        #include "foo.h"
        === file2.cpp ===
        #include "FOO.H"
        Tag with name `tagFoo' already declared 1 time(s) MISRAC2012-Rule-5.7

[CSTAT-611, EWARM-9051] Integer to float conversions, when the size of the integer is smaller than the size of the float, generate false positives regarding loss of precision for the check CERT-FLP36-C.
[CSTAT-609, EWARM-8953] The check MISRAC2012-Rule-10.3 can generate false positives when an object before and after an implicit conversion is of array type.
[CSTAT-608, EWARM-8952] Parameters of array type are sometimes incorrectly interpreted as being of pointer type. This can lead to false positives from checks such as MISRAC2012-Rule-8.3, which examines whether the parameter types of a function's declaration and definition are identical.
[CSTAT-607, EWARM-8951]
Comparing a variable with its maximum possible value can lead to false positives for checks such as RED-cond-never and RED-cond-always.

The following code snippet will for example generate a RED-cond-always message for the if statement:
```
        unsigned char c;
        if (c == 255U);
```
[EWARM-7157] For better correlation between the number of C-STAT messages and the number of potential problems, two or more checks that identify an identical problem are now consolidated in the analysis report. This might lead to fewer messages (but not fewer reported potential problems).

New features

None

V9.10 2021-02-19

Program corrections

In EWARM 9.10.2
[CSTAT-590, EWARM-8768]

C-STAT does not generate a message for the check RED-unused-return-val on function pointers. Example:

        typedef int (*funcp)(void);
        int f(void) { return 0; }
        int g(void) {
          funcp p = f;
          p(); // This line should yield a message regarding a discarded return value
          return 0;
        }

In EWARM 9.10.2
[CSTAT-589, EWARM-8767] When performing the check LIB-memcpy-overrun-pos, if the memcpy() function is called with an argument that is a field access of a struct, C-STAT calculates the size of that argument to be the total size of the struct instead of just the size of the field.
In EWARM 9.10.2
[EWARM-8725, TPB-3514] C-STAT can in some cases disregard qualifiers (such as const and volatile) for function parameters when analyzing source files compiled for Standard C++. This can for example cause the check CERT-EXP37-C_b to generate a message about a mismatch in parameter types for a function declaration and its definition.
In EWARM 9.10.2
[CSTAT-586, EWARM-8609] C-STAT can erroneously generate messages from header files that contain the #pragma system_include.
In EWARM 9.10.2
[CSTAT-585, EWARM-8605] For the check MISRAC2012-Rule-9.2, initializing a float array with 0 does not count as a zero initialization. The code float arr[3] = {0}; will, for example, generate a message.
In EWARM 9.10.2
[CSTAT-583, EWARM-8590] Calls to memcpy can report messages regarding overlapping memory when both pointer arguments point to the same object and they are accessed with an offset, such as memcpy(ptr+8, ptr+16, 7);.
In EWARM 9.10.2
[CSTAT-580, EWARM-8522] Decrementing (--) a variable of unsigned type inside the body of a for loop can make C-STAT incorrectly assume that the variable can wrap around, causing the variable to have an over-approximated interval.
In EWARM 9.10.2
[CSTAT-578, EWARM-8440]
The C-STAT check MEM-stack-param, and other identical checks, can in some cases incorrectly interpret taking the address of a local pointer that aliases a global, as a stack address.
```
char g[10];
        void f(char ** const pp)
        {
          char *p = g;
          *pp = &p[0]; // MEM-stack-param message
        }
        
```
In EWARM 9.10.2
[CSTAT-575, EWARM-8311] C-STAT does not detect that if(a < b) is always true when b is larger than the maximum value for a.
[CSTAT-571, EWARM-8270] The HTML report generated by C-STAT does not show the suppressed messages (if any) that should be shown on the HTML pages for each individual source file.
[CSTAT-569, EWARM-8234, TPB-3467] The parser does not provide C-STAT with sufficient information for suppressing link analysis messages. This is the cause of issue ~~EWARM-8234~~.
[EWARM-8034, TPB-3431] When producing input for the C-STAT static analyzer, the compiler can terminate with an internal error if the __noreturn keyword is used on both the declaration and the definition of a static member function.

New features

None.

V8.50 2020-02-17

Program corrections

In EWARM 8.50.9
[EWARM-8129, TPB-3454] C-STAT can terminate with an internal error ("XML node id=nnn not found") when analyzing code that uses C++ lambda functions.
In EWARM 8.50.9
[CSTAT-552, EWARM-8044] The checks MEM-stack-param, MISRAC2012-Rule-1.3_s, MISRAC2012-Rule-18.6_d, and CERT-DCL30-C_e erroneously consider the address of a pointer parameter that is accessed with the subscript operator to be a stack address.
In EWARM 8.50.9
[CSTAT-551, EWARM-8046] Initializing an aggregate or union with a struct or union field can incorrectly generate a MISRA2012-Rule-9.2 message, even if the initializer is properly enclosed in braces.
[CSTAT-550, EWARM-8048] The check CERT-EXP43-C_b can in some circumstances generate a message for a memcpy(p+n,p,n) call, incorrectly reporting that the pointer arguments overlap.
In EWARM 8.50.9
[CSTAT-549, EWARM-8032] The check MISRAC++2008-6-4-3 incorrectly requires switch statements to have a default clause.
In EWARM 8.50.9
[CSTAT-543, EWARM-7915] Using the offsetof macro generates a message for MISRAC2012-Rule-7.2.
In EWARM 8.50.9
[CSTAT-544, EWARM-7914] MISRAC++2008-6-5-5 interprets a loop counter to be only variables assigned in the init statement of a for loop. It should also include any variable assigned prior to the loop.
In EWARM 8.50.9
[CSTAT-545, EWARM-7913] The check MISRAC++2008-6-5-4 incorrectly requires that the loop counter is incremented or decremented by a constant value rather than by a value that is constant for the duration of the loop.
In EWARM 8.50.9
[CSTAT-541, EWARM-7901]
This code generate a message for MISRAC2012-Rule-18.8 regarding the usage of variable length arrays.
```
        extern struct {
          int m;
        } a[];
        
```
In EWARM 8.50.7
[EWARM-7888, TPB-3411] C-Stat can terminate with an internal error (unknown dyinit: 8) in some cases that involve C++ lambda functions.
In EWARM 8.50.9
[CSTAT-539, EWARM-7884] Taking the address of a variable declared as a reference does not count as a potential modification of that variable. This can lead to false positives for the check MISRAC++2008-7-1-1, stating that the variable should be declared as const.
In EWARM 8.50.9
[CSTAT-538, EWARM-7864]
In cases like the example, the size of the underlying array of the *p statement can be calculated incorrectly by C-STAT.
```
        int (*p)[3];
        *p;
        
```
In EWARM 8.50.9
[CSTAT-537, EWARM-7841] The checks MEM-stack-global, MISRAC++2008-7-5-2_a, MISRAC2004-17.6_b, MISRAC2012-Rule-18.6_b, and CERT-DCL30-C_c consider saving the address of a static variable as if it were a local variable that was saved.
In EWARM 8.50.7
[EWARM-7811, TPB-3412] C-STAT can terminate with an internal error when analyzing code that uses C++ generic lambdas.
In EWARM 8.50.9
[CSTAT-534, EWARM-7808] When running C-STAT from within the Embedded Workbench IDE or by using the commands command from the command line, the first object file sent to the link analysis is not included in the analysis.
In EWARM 8.50.9
[CSTAT-531, EWARM-7807] The check CERT-EXP40-C_a erroneously reports modifications on non-const structure fields as const modifications.
In EWARM 8.50.9
[CSTAT-533, EWARM-7804] The MISRAC2012-Rule-21.16 check can cause C-STAT to terminate with an internal error when the memcmp function is called with arguments of type const void *.
In EWARM 8.50.9
[CSTAT-532, EWARM-7796] Using the C-STAT comment directive //cstat +<tag> reenables all currently disabled checks instead of only the matching tag.
In EWARM 8.50.9
[CSTAT-530, EWARM-7788] Calling standard library functions that take a pointer and a size argument (for example memset and strncat), when the size argument is a number larger than 31 bits, can cause C-STAT to terminate with an internal error.
In EWARM 8.50.4
[CSTAT-525, EWARM-7734] If a source file generated 0 messages In the C-STAT analysis report, it is listed twice in the Messages table.
In EWARM 8.50.4
[CSTAT-516, EWARM-7634] C-STAT exits with an ambiguous error if the compiler command line for a source file is longer than 32,768 characters.
In EWARM 8.50.4
[CSTAT-515, EWARM-7628] The check MISRAC2012-Rule-14.4_c does not consider array members of a struct to be able to have essentially Boolean type.
In EWARM 8.50.4
[CSTAT-512, EWARM-7603] The check MISRAC2012-Rule-9.2 generates a message when an aggregate initialization has a designated initializer of type struct or union, and the initializer expression has a compatible type.
In EWARM 8.50.4
[CSTAT-511, EWARM-7595]
Using the !tag comment directive does not suppress messages if there are multiline comments following the directive. For example:
```
        /*cstat !MISRAC2012-Dir-4.6_a */
        /* This is
        * a multiline comment */
        int a; /* Suppression not enabled */
        
```
In EWARM 8.50.4
[CSTAT-510, EWARM-7594] The argument given to the --exclude option is treated as being appended with the wildcard (*) character, which can make it match more source files than intended.
In EWARM 8.50.4
[CSTAT-509, EWARM-7579] The checks MISRAC2004-15.0, MISRAC2012-Rule-16.1, and MISRAC++2008-6-4-3 consider switch statements with nested blocks inside a case clause to be ill-formed switches.
In EWARM 8.50.4
[CSTAT-507, EWARM-7577] If a file has generated messages from one analysis pass and is being analyzed again (without clearing the analysis results first), the --exclude option has no effect.
In EWARM 8.50.4
[CSTAT-503, EWARM-7568]
The checks ARR-inv-index-ptr-pos, MISRAC++2008-5-0-16_f, MISRAC2012-Rule-18.1_d, and CERT-ARR30-C_d: Dereferencing the address of a field access of a struct pointer can lead to an Internal error if the field access is considered to be out of bounds. An example:
```
        typedef struct { int arr[2] } S;
        S *s;
        *(&s->arr[3]) = 10;
        
```
In EWARM 8.50.4
[CSTAT-501, EWARM-7558]
The check MISRAC2012-Dir-4.6_a can report false positives when there are implicit or explicit casts on basic types in array definitions. For example:
```
        #include <stdint.h>
        uint8_t arr[ (uint8_t) 8u ];
        
```
In EWARM 8.50.4
[CSTAT-499, EWARM-7556] The checks LIB-sprintf-overrun and SEC-BUFFER-sprintf-overrun use the length of the unformatted second argument to the function sprintf for comparison with the first argument, instead of using the length after it has been formatted.
In EWARM 8.50.4
[CSTAT-500, EWARM-7555] In the C-STAT Static Analysis Guide, some checks that are identical do not have the same set of matching coding standards listed.
In EWARM 8.50.4
[EWARM-7547, TPB-3328] When performing static analysis for C-STAT, the compiler can terminate with the very misleading message: "Lambdas nested too deeply; maximum depth is 10" if there are more than 10 lambda functions in the same function, regardless of the depth of nesting.
In EWARM 8.50.4
[CSTAT-496, EWARM-7538] Analyzing a module with several thousand globally defined variables can cause C-STAT to run out of memory.
In EWARM 8.50.4
[CSTAT-489, EWARM-7525] C-STAT check CERT-ARR38-C_d looks for C library functions that manipulate arrays or objects. These functions take the number of elements to manipulate as one of their arguments. If C-STAT cannot determine this value, it can cause an internal error.
In EWARM 8.50.4
[CSTAT-488, EWARM-7506] The checks MEM-stack-param, MISRAC++2008-7-5-2_c, MISRAC2004-17.6_d, MISRAC2012-Rule-1.3_s, MISRAC2012-Rule-18.6_d and CERT-DCL30-C_e identify stack addresses assigned to pointer parameters. In some cases where the local variable is declared as static, this is wrongly considered as a violation. Moreover, the checks incorrectly do not consider taking the address of a non-static local array to be a violation.
In EWARM 8.50.4
[CSTAT-483, EWARM-7431] The check MISRAC++2008-5-0-8 incorrectly interprets explicit casts of a single variable in a return expression as a cvalue, for example, return static_cast<type>(var);
[CSTAT-482, EWARM-7420] The check MISRAC2012-Rule-1.3_u calculates the underlying type's size of an array of pointers incorrectly.
[CSTAT-465, EWARM-7388] The check MISRAC++2008-2-10-6 incorrectly reports conflicting names for the same template if it is instantiated more than once.
[CSTAT-454, EWARM-7339]
The checks MISRAC++2008-0-2-1, MISRAC2004-18.2, MISRAC2012-Rule-19.1, and UNION-overlap-assign can produce a false positive regarding overlapping assignments if a union access is inside a subscript operator.

For example:
```
        void fn()
        {
          union {
            int a;
            int b;
          } U;
          int arr[5];
          arr[U.a] = U.b; /* False positive here */
        }
        
```
[CSTAT-453, EWARM-7327] The check MISRAC++2008-0-1-7 incorrectly gives a warning when the return value of an overloaded operator is discarded.
[CSTAT-451, EWARM-7294] The check SEC-BUFFER-tainted-index can fail to identify a possible violation when a tainted value is sent as a function parameter and the function uses the tainted value as an array index.
[CSTAT-450, EWARM-7288] The checks MISRAC++2008-5-0-15_a and MISRAC2004-17.4_a incorrectly allow pointer arithmetic to be used on structure members declared as pointers.
[CSTAT-449, EWARM-7286] For the checks MISRAC++2008-5-0-13_c, MISRAC2004-13.2_c, and MISRAC2012-Rule-14.4_c, using a function pointer as a controlling expression generates a message even if the return type of the function is essentially Boolean.
[CSTAT-440, EWARM-7201] Re-analyzing an unchanged source file in C-STAT can result in a lower number of messages reported compared to the previous analysis.
[CSTAT-439, EWARM-7196] The checks CONST-member-ret and MISRAC++2008-9-3-1 generate a message when a const member function returns a pointer-to-const to class-data, even if the member variable is declared as a pointer-to-const.
[CSTAT-434, EWARM-7166] C-STAT can calculate the size for function parameters of type void * incorrectly, which leads to misleading results of the analysis.
[CSTAT-433, EWARM-7165] The check MISRAC2012-Dir-4.6_a triggers erroneously if expr in int8_t arr[expr]; is a composite expression and consists of implicit or explicit casts.
[CSTAT-432, EWARM-7164] The check MISRAC2012-Rule-18.8 erroneously reports a problem with the declaration of a variable length array if expr in int arr[expr] is something other than a constant integer.
[CSTAT-430, EWARM-7129] In the report of the analysis results, the table "Project wide enabled checks" incorrectly lists the enabled checks and all of their identical equivalents from other packages. Only the enabled checks should be listed.

New features

In EWARM 8.50.4

MISRA C:2012 Amendment 1
The Static analysis tool C-STAT has extended its coverage of the MISRA C:2012 Coding Standard and now fully supports MISRA C:2012 Amendment 1. This Amendment adds 14 additional rules to MISRA C:2012 with a focus on security concerns highlighted by the ISO C Secure Guidelines. Several of these address specific issues pertaining to the use of untrustworthy data, a well-known security vulnerability.
Extended coverage of CERT C
The static analysis tool C-STAT has extended its coverage of the SEI CERT C Coding Standard. The SEI CERT C Coding Standard's goal is to provide rules for developing safe, reliable and secure systems in the C programming language, with support for C11 constructs. C-STAT covers all rules in the different CERT C sections listed at the CERT C wiki as of January 2020, with the exception of the API, CON, POS and WIN sections which are not applicable to our products, yielding a total of 90 covered rules.

Link analysis trace information
The link analysis messages now display trace information when relevant. For checks looking for conflicting symbol names, all conflicting declarations are now listed in the trace information instead of each pair of conflicts being described in a separate message. This might lead to fewer reported messages for the same number of found issues.

V8.42 2020-01-17

Program corrections

[EWARM-7158, TPB-3254] C-STAT can report an internal error about a missing size attribute, even though no error occurred. This can happen when array declarations such as int arr[expr]; (where expr is not a constant integer) are used.

New features

None.

V8.40 2019-05-24

Program corrections

In EWARM 8.40.2:
[CSTAT-426, EWARM-7024] The check PTR-null-cmp-bef will only give one warning, regardless of how many violations against the rule it finds.
In EWARM 8.40.2:
[CSTAT-425, EWARM-7013] If C-STAT analyzes the same code a second time, and the only change in the code is an added comment directive, the directive does not have any effect.
In EWARM 8.40.2:
[CSTAT-424, EWARM-7008] C-STAT estimates the size of an array of pointers incorrectly.
In EWARM 8.40.2:
[EWARM-7002, TPB-3202] Checks for the rules MISRAC++2008-5-18-1, MISRAC2004-12.10, and MISRAC2012-Rule-12.3 incorrectly generate a message for compiler-generated code that uses the , (comma) operator. (Such code patterns can be introduced by, for instance, range-based for loops.)
In EWARM 8.40.2:
[CSTAT-421, EWARM-6998] The check for MISRAC++2008-6-5-4 incorrectly produces a message if the loop counter in a function is an iterator.
In EWARM 8.40.2:
[CSTAT-420, EWARM-6997] Checks for the rules MISRAC++2008-6-2-1 and MISRAC2012-Rule-13.4_b incorrectly generate a message for compiler-generated code with assignments in sub-expressions. (Such code patterns can be introduced by, for instance, range-based for loops.)
In EWARM 8.40.2:
[CSTAT-419, EWARM-6953] The directive in a comment for disabling a check for the immediately following function (//cstat #tag) can sometimes fail to disable the specified check.
In EWARM 8.40.2:
[CSTAT-418, EWARM-6937] The --exclude option does not work when the path is absolute.
In EWARM 8.40.2:
[EWARM-6921, TPB-3181] The inline functions for the generic functions isunordered and islessgreater have the wrong return types in C. This triggers MISRA-C:2004 rule 10.1 messages in the compiler and in C-STAT.
In EWARM 8.40.2:
[CSTAT-417, EWARM-6897] In some cases, C-STAT interprets the result of the addition operators + or += as to be of unsigned type, even if none of the operands are of unsigned type.
In EWARM 8.40.2:
[CSTAT-415, EWARM-6852] The check MISRAC2012-Dir-4.8 incorrectly warns when there is no pointer to a visible struct or union that can be dereferenced.
In EWARM 8.40.2:
[EWARM-6850, TPB-3173] MISRAC2012-Rule-12.1, MISRAC++2008-5-0-2, MISRAC2004-12.1: These checks do not generate messages for missing parentheses on expressions inside the square brackets of an array. Example: int arr[1+2*3].
In EWARM 8.40.2:
[CSTAT-412, EWARM-6847] Using the wildcard character (*) in C-STAT comment directives has no effect.
[CSTAT-413, EWARM-6846] MISRAC2012-Rule-1.3_t: The message incorrectly says "copying x bytes to..." instead of "copying x bytes to/from..." while the size of both the source and the destination of the memcpy function call are checked.
In EWARM 8.40.2:
[CSTAT-411, EWARM-6845] When using comment characters and operators to disable or enable C-STAT messages for specific checks, /*cstat op [op op...]*/, the last op and */ must be separated with a whitespace.
[CSTAT-409, EWARM-6792] C-STAT can in some cases report an incorrect size for objects that are accessed via either the . (dot) or -> (arrow) operator.
[CSTAT-408, EWARM-6781] For MISRAC2012-Rule-8.7, a function definition is incorrectly not considered as a reference of a function.
[CSTAT-407, EWARM-6780] MISRAC2012-Rule-14.1_a and MISRAC++2008-6-5-1_a incorrectly warn when any object in the controlling expression is of type float. These checks should only warn if the loop counter is of type float.
[CSTAT-406, EWARM-6772] C-STAT can generate messages that incorrectly refer to line '0' (MISRAC2004-1.1 is an exception to this).
[CSTAT-404, EWARM-6762] A typedef in a header file can incorrectly be seen as non-unique when the header file is included from multiple source files. This can make MISRAC2012-Rule-5.6 report a false positive.
[CSTAT-403, EWARM-6761] Declarations in a header file can incorrectly be seen as multiple declarations, when the header file is included from multiple source files, and make MISRAC2012-Rule-8.5_b generate a false positive.
[CSTAT-402, EWARM-6739] Certain declarations, break and continue statements inside if, for and while statements, can make rule CERT-EXP19-C produce false positives.
[CSTAT-400, EWARM-6702] Using NULL in assert macros triggers false positives for MISRAC2012-Rule-11.9.
[EWARM-6354, TPB-3006] Array boundaries can be incorrectly calculated, for C-STAT, when the array type consists of more than one level of typedef specifiers and the array is placed inside a struct.

New features

For better correlation between the number of C-STAT messages and the number of potential problems, two or more checks that identify an identical problem are now consolidated in the analysis report. This might lead to fewer messages (but not fewer reported potential problems).

V8.32 2018-10-12

Program corrections

In EWARM 8.32.3 [CSTAT-399, EWARM-6662] C-STAT considers accessing a volatile object through the -> (arrow) or . (dot) operators as a volatile write operation.
In EWARM 8.32.3 [CSTAT-398, EWARM-6658] It is not possible to suppress link analysis messages in C-STAT.
In EWARM 8.32.3 [CSTAT-396, EWARM-6595] Using a section operator, for example __segment_begin, as a function parameter causes an internal error in C-STAT.
In EWARM 8.32.3 [CSTAT-393, EWARM-6575] Running an analysis on an unchanged file with the check MISRAC2012-Dir-4.6_a enabled can in rare cases cause C-STAT to report an internal error.
In EWARM 8.32.3 [CSTAT-391, EWARM-6526] In some rare cases, C-STAT can misidentify how function parameters are used.
In EWARM 8.32.3 [CSTAT-389, EWARM-6514] Arrays with more than 100 elements can cause C-STAT to crash if the check MISRAC2012-Rule-10.3 is enabled.
In EWARM 8.32.3 [CSTAT-387, EWARM-6507] C-STAT does incorrectly not consider returning a struct from a function to be a use of the struct.
In EWARM 8.32.3 [CSTAT-386, EWARM-6411] Source files larger than 16 MBytes can cause C-STAT to crash.
[CSTAT-377, EWARM-6373] Saving a function address is considered as a function call. This can lead to false positives for checks which look for recursion, such as MISRAC2012-Rule-17.2_b.

New features

None.

V8.30 2018-06-15

Program corrections

In 8.30.2
[CSTAT-375, EWARM-6345] If an analysis of a source file only consists of suppressed messages, IAR Embedded Workbench will not output "Analyzing xxxx" in the Build window.
In 8.30.2
[CSTAT-372, EWARM-6289] Array indices are calculated incorrectly when the array is a field (but not the first field) of a struct.
[CSTAT-368, EWARM-6189] MISRAC2012-Rule-17.5 might report false positives if the parameter is a global array.
[CSTAT-364, EWARM-6161] The severity level for the checks MISRAC2012-Rule-8.9_a and MISRAC2012-Rule-8.9_b is incorrect. It should be Low, not Medium.
[CSTAT-363, EWARM-6151] if (++foo != 0) or if (--foo != 0) does not count as a comparison of foo against 0.
[CSTAT-360, EWARM-6142] MISRAC2012-Rule-8.3_b generates a message for inconsistent types between global variables with the same name even if the variables are declared as static.
[CSTAT-359, EWARM-6141] There are no link analysis messages when the paths to the source files contain white spaces. This occurs both when running icstat with the commands command and when performing an analysis in IAR Embedded Workbench.
[CSTAT-357, EWARM-6137] Access ranges of arrays inside structs are not calculated correctly. This can for example generate false positives for the check ARR-inv-index-ptr-pos.
[CSTAT-353, EWARM-6081] Function parameters for non-static functions are given an estimated value range based on an analysis of all function calls inside the module where the function is defined. This might introduce false positives when the function is called from another module.

New features

None.

V8.22 2018-01-22

Program corrections

[CSTAT-362, EWARM-6138] The range of the right-hand side argument of shift operations can in some cases get calculated incorrectly, which in turn might generate false positives for ATH-shift-bounds.
[CSTAT-350, EWARM-6090] MISRAC2012-Rule-13.8 does not issue a message when a non-const pointer is assigned or copied to another non-const pointer that in turn is never modified or copied. In this case, both pointers can be declared with the const attribute.
[CSTAT-343, EWARM-6074] ARR-inv-index does not check for buffer overflows when the operator & is used, e.g., &arr[i].
[CSTAT-346, EWARM-6071] MISRAC2012-Rule-16.1: A case clause is not allowed to have multiple break, goto, or return statements.
[CSTAT-345, EWARM-6070] Exception 1 of MISRA C 2012 Rule 10.3 is not applied to array types.
[CSTAT-334, EWARM-5920] Calculating & on large numbers can cause C-STAT to produce an internal error.

New features

None

V8.20 2017-10-16

Program corrections

In EWARM 8.20.2
[EWARM-5989, CSTAT-340] Returning an object that is neither signed nor unsigned can produce an internal error.
In EWARM 8.20.2
[EWARM-5976, CSTAT-339] MISRAC++2008-7-1-2: Calling a non-const member function of a function parameter is not considered as a potential write operation of that parameter.
In EWARM 8.20.2
[EWARM-5950, CSTAT-337] Link messages from different checks referring to the same symbol can erroneously get filtered.
In EWARM 8.20.2
[EWARM-5920, CSTAT-334] Calculating & on large numbers can cause C-STAT to produce an internal error.
In EWARM 8.20.2
[EWARM-5908, CSTAT-333] MISRAC2012-Rule-8.4 requires the function main to have a separate declaration.
In EWARM 8.20.2
[EWARM-5867, CSTAT-331] The underlying type of expressions containing an enum or boolean type is evaluated erroneously.
[EWARM-5848, CSTAT-329] In some rare cases C-STAT might fail to display messages caused by problems in a header file, because of issues with case-sensitivity.
[EWARM-5844, CSTAT-328] It is not possible to use the option --exclude with a path that contains directory separators.
[EWARM-5843, CSTAT-327] If the option --exclude is used more than once, only the last option has any effect.
[EWARM-5808, CSTAT-324, EW26733] MISRAC2012-Rule-10.1_R3 triggers on array access' when the array has elements of type boolean.
[EWARM-5807, CSTAT-323, EW26731] The check MISRAC2012-Rule-10.3 disregards array and pointer assignments.
[EWARM-5793, CSTAT-322, EW26708] The size of return values are not taken into consideration when calculating their lower and upper bounds.
[EWARM-5792, CSTAT-321, EW26706] C-STAT does not identify overflows on memset and related functions when the destination is something other than just an identifier.
[EWARM-5781, CSTAT-318, EW26688] These checks might produce false positives when the switch statement is inside a loop: MISRAC2012-Rule-16.3, MISRAC++2008-6-4-5, and MISRAC2004-15.2.
[EWARM-5779, EW26681] ATH-overflow may falsely trigger when the left operand of the bit-wise AND operation is of the same size as the result.
[EWARM-5746, EW26636] C-STAT considers accessing a volatile object through the -> (arrow) or . (dot) operators as a volatile write operation.
[EWARM-5743, EW26630] Link messages are not part of the output of icstat when executing the 'load' command via the command line.

New features

None

V8.11 2017-04-11

Program corrections

C-STAT cannot handle comments with non-ASCII characters if the compiled source file uses the Raw encoding format.
[EW26477]
In EWARM 8.11.2:
Global arrays declared with the keyword static are incorrectly assumed to have constant values.
[EW26461]
In EWARM 8.11.2:
MISRAC2012-Rule-8.13: C-STAT does not consider sending a variable as a function parameter via operators such as & (address-of) and [] (subscript) as a potential use of the variable.
[EW26560]
In EWARM 8.11.2:
MISRAC2012-Rule-2.2_b: C-STAT does not consider sending a struct object through an aliased pointer as a potential write operation on the struct's fields.
[EW26562]

New features

None.

V8.10 2017-03-10

Program corrections

Assignment operations in a separate function on a variable which is passed by reference can lead to false positives produced by MISRAC++2008-0-1-6 and similar C-STAT checks.
[EW26117]
It's possible to try to generate a C-STAT report on a project that has not yet been analyzed.
[EW26173]
ATH-overflow is unable to detect overflows for shorthand assignment operators.
[EW26194]
Projects where the combined absolute paths of all source files exceeds 32,768 characters cause the link analysis to crash.
[EW26217]
MISRAC++2008-7-1-1 does not consider 1) calling a non-const member function and 2) taking the address of a struct variable and writing to one of its fields as modifications.
[EW26219]
The type of a ternary expression is falsely decided by the type of its first operand.
[EW26243]
C-STAT might report that the left-hand side argument of a right-shift operation has a negative interval even though the expression is unsigned.
[EW26258]
A non-const pointer using a parameter for an impure function is considered a violation to MISRAC2012-Rule-8.13.
[EW26260]
Non-system external functions with return type void are not considered as having side effects.
[EW26262]
C-STAT erroneously considers accessing a struct field inside a subscript operation on the left hand side of an assignment as writing to that struct field.
[EW26264]
C-STAT might report that the right-hand side argument of a left-shift operation has a negative interval even though the expression is unsigned.
[EW26271]
Boolean pointers are not considered to have boolean type.
[EW26273]
Use of global objects are not registered if the use involves implicit casts. This could lead to triggering of false positives for MISRAC2012-Rule-8.9_b.
[EW26275]
Literal 0 is interpreted as NULL by SEC-NULL-literal-pos and PTR-null-literal-pos.
[EW26283]
EXP-main-ret-int signals a false positive when the return type of main() is a typedef of type int.
[EW26285]
Taking the address of a volatile object is not considered as a non-volatile operation.
[EW26302]
Using a static global on the right-hand side of a global assignment is not considered a use and can thus trigger false positives for MISRAC2012-Rule-8.9_a.
[EW26304]
Comparing values accessed through the subscript operator on different arrays is considered as comparisons between different pointers, thus falsely trigger MISRAC2012-Rule-18.3.
[EW26307]
A struct field which is a typedef with the character sequence bool, Bool or BOOL in its name is not considered to be of boolean type.
[EW26316]
Using a struct field which is a typedef consisting of the character sequence bool, Bool or BOOL as a conditional causes MISRAC2012-Rule-14.4 to generate false positives.
[EW26318]
Implicit casts could in some cases cause C-STAT to believe an unsigned variable could have a negative value interval.
[EW26365]
C-STAT fails with an Internal error when analyzing code which contains a char with a value larger than 31 bits.
[EW26392]
When using multiple --exclude options, only the last option has any effect.
[EW26438]

New features

None.

V7.80 2016-10-17

Program corrections

MISRA-C:2004 rule 11.4 does not give a message for casting an array into a pointer.
[EW26207]

V7.70 2016-06-17

Program corrections

C-STAT: MISRAC2004-17.4_b now handles multi-dimensional arrays.
[EW26056]
In EWARM 7.70.2:
C-STAT produces false positives for MISRAC2012-Rule-10.1_R2 when a boolean expression contains a nested ternary operator which is essentially boolean.
[EW26082]
In EWARM 7.70.2:
The rule MISRAC2012-Rule-12.1 / MISRAC++2008-5-0-2 / MISRAC2004-12.1 generates false positives regarding suggestions to enclose sizeof() expressions with parentheses for increased clarity.
[EW26083]
In EWARM 7.70.2:
Suppressing C-STAT checks over an interval with the use of wildcards does not work as intended.
[EW26092]
In EWARM 7.70.2:
The 'underlying type' is sometimes incorrectly determined for the check MISRAC++2008-5-0-6.
[EW26118]
In EWARM 7.70.2:
MISRAC2012-Rule-11.9 does not generate messages for implicit (void *)0 casts, e.g., void *p = 0
[EW26120]
In EWARM 7.70.2:
MISRAC2012-Rule-8.13: Pointers that are copied by assignment are no longer required to be const-qualified.
[EW26196]
In EWARM 7.70.2:
CERT-EXP19-C generates too many false positives for missing braces for else-if statements.
[EW26198]

New features

None.

V7.60 2016-03-31

Program corrections

C-STAT: The C-STAT check CONST-param doesn't handle & parameters.
[EW25294]
C-STAT: The C-STAT checks doesn't check array initialization inside objects.
[EW25398]
C-STAT: Code accessing fields of an anonymous union triggers an Internal error.
[EW25776]
C-STAT: LIB-memcpy-overrun and MISRAC2012-Rule-1.3t may incorrectly calculate the size of the destination memory.
[EW25908]

New features

Extended functionality in C-STAT
The static analysis tool C-STAT has been extended with approximately 150 new checks including 90 new MISRA C:2012 checks and two new packages of checks. There are also new options to enable or disable the false-positives elimination phase of the analysis and to exclude files from the analysis. C-STAT message suppression can now be controlled by directives placed in comments in the source files. For more information see the release notes for the compiler.

V7.50 2015-11-10

Program corrections

C-STAT might encounter a fatal error if the path to the object file, in the compiler command line, contains certain multibyte characters.
[EW25766]

New features

Analysis report generation in C-STAT
It is now possible to generate analysis reports from C-STAT in html format. See C-STAT Static Analysis Guide for more information.

V7.40 2015-02-19

Program corrections

In EWARM 7.40.2:
C-STAT: When icstat has timed out it does not mention this in any way or form.
[EW25262]
In EWARM 7.40.2:
C-STAT: The check ATH-div-0-cmp-aft now uses the analyzed interval ranges, if applicable.
[EW25300]
In EWARM 7.40.2:
C-STAT: MISRAC2012-Rule-15.6_c does not accept that an else immediatley followed by if should not get a message
[EW25330]
In EWARM 7.40.3:
C-STAT: The ananlysis does not consider va_start as an initialization of a variable.
[EW25319]
In EWARM 7.40.3:
C-STAT: When checking MISRAC2012-Dir-4.10 (include guards), any system header included using "..." instead of <...> is considered in violation of the rule.
[EW25321]
In EWARM 7.40.3:
C-STAT: MISRAC2012-Dir-4.6_a can erroneously be diagnosed as violated in some cases. In particular, using a volatile or const modifier in an array type declaration can cause this behavior.
[EW25323]
In EWARM 7.40.3:
C-STAT: The interval solver in C-STAT erroneously uses the initialized value of a global or static volatile variable.
[EW25332, EW25389]
In EWARM 7.40.3:
C-STAT: signed integer constant expression zero gives an erroneous message for MISRAC2012-Rule-10.1_R7 (the right operand of a shift should be essentially unsigned).
[EW25343]
In EWARM 7.40.3:
C-STAT: MISRAC2012-Rule-10.3/4 sometimes gives a message erroneously (return of a bool and a compare of a bool with integer constants 0 and 1).
[EW25355]
In EWARM 7.40.3:
C-STAT: Volatile accesses inside sizeof() expressions are considered as a side effect.
[EW25381]
In EWARM 7.40.3:
C-STAT: MISRAC++2008-2-13-3 incorrectly flags enumeration constants.
[EW25412]
In EWARM 7.40.3:
C-STAT: MISRAC++2008-8-5-2 fails for arrays with more than 100 elements even though it uses an initializer with the correct amount of elements.
[EW25422]
In EWARM 7.40.5:
C-STAT: MISRAC2012-Rule-10.3/4 does not treat the enum constants 0 and 1 as boolean.
[EW25370]
In EWARM 7.40.5:
C-STAT: The checks CONST-param, MISRA-C:2004-16.7, and MISRA C++:2008-7-1-2 do not detect array assignments for parameters.
[EW25547]
In EWARM 7.40.5:
C-STAT: The check MISRA-C:2004 19.15 can, spuriously, generate messages for source files in directories that are not subdirectories of the project directory ( $PROJ_DIR$ ).
[EW25549]
In EWARM 7.40.5:
C-STAT: The detection of whether a macro is coming from a system header or not is faulty. In this case it incorrectly generates a message for the use of offsetof.
[EW25603]
In EWARM 7.40.5:
C-STAT now reports fewer false positives for the check SPC-volatile-reads.
[EW25607]
In EWARM 7.40.5:
C-STAT, MEM-stack-global-alias: Assigning a value from an array to a global variable is no longer interpreted as assigning a stack address to it.
[EW25609]

New features

C-STAT
The add-on product C-STAT for static analysis is now supported. C-STAT features innovative static analysis that can detect defects, bugs, and security vulnerabilities as defined by CERT and the Common Weakness Enumeration, as well as help keeping code compliant to coding standards like MISRA C:2012/2004 or MISRA C++:2008. For more information, see C-STAT Static Analysis Guide.