S32R274 S32 SDK RTD: vaiolations found by checking with QAC against the FlexCAN driver

nxf47685 · ‎02-02-2023

Hi,

I have questions about FlexCAN driver. A customer checked the FlexCAN driver source code with QAC and found some points.

Following is comment and questions from the customer:#

In the following functions of the FLEXCAN driver QAC pointed out that the uninitialized stack variable cs is specified as a function argument in the following functions of the FLEXCAN driver.

FLEXCAN_DRV_ConfigTxMb() FLEXCAN_DRV_ConfigRemoteResponseMb() FLEXCAN_DRV_ConfigRxMb()

In the functions FLEXCAN_SetRxMsgBuff() and FLEXCAN_SetRxMsgBuff(), the by specifying an uninitialized stack variable cs as an argument. Is it guaranteed that the uninitialized stack variable "cs" will not cause a problem?

In the following functions of the FLEXCAN driver The risk of alignment inconsistency due to 4-byte typecasting of 1-byte arrays has been pointed out by QAC.

FLEXCAN_SetTxMsgBuff(): (const uint32_t *)msgData FLEXCAN_GetMsgBuff(): (uint32_t *)(msgBuff->data) FLEXCAN_ReadRxFifo(): (uint32_t *)(rxFifo->data)

Is 4-byte address placement in a 1-byte array guaranteed by the linker?

=============================================================================================================================

I believe the second point is the one with the following comment in the source code

@section [global]
Violates MISRA 2012 Required Rule 11.3, cast performed between a pointer to
object type and a pointer to a different object type
The cast is used for casting a bytes buffer into an words buffer in order to
optimize copying data to/from the message buffer. *

The first one does not have any comments in the source code?

Would the following be an answer to the customer's question? The customer is building with GHS tools, but I don't think this SW will work correctly under any conditions. It only works as a result of testing with the build option in NXP, not in all conditions, and I think the customer needs to test and verify if it works or not, is my understanding correct?

Nhi_Nguyen · ‎02-17-2023

Hello Minghong,

1. I found a problem in driver about this.

In the function FLEXCAN_DRV_ConfigRemoteResponseMb(), fields of cs are initilized:

/* Initialize transmit mb*/
cs.dataLen = tx_info->data_length;
cs.msgIdType = tx_info->msg_id_type;
cs.code = (uint32_t)FLEXCAN_RX_RANSWER;
#if FEATURE_CAN_HAS_FD
cs.fd_enable = false;
#endif

This function call sub function FLEXCAN_SetTxMsgBuff().

In the function FLEXCAN_SetTxMsgBuff(), fields used in cs are:

cs->enable_brs
cs->dataLen
cs->fd_padding
cs->msgIdType
cs->code
cs->fd_enable

So, there are 2 fields of cs weren't initialized yet: cs->enable_brs and cs->fd_padding, they can be assigned random values, this can lead to wrong result.

I raised a bug for this issue:

https://jira.sw.nxp.com/browse/ASDK-41394

2. As you said, The cast is used for casting a bytes buffer into an words buffer in order to optimize copying data to/from the message buffer.
Example:

const uint32_t * msgData_32 = (const uint32_t *)msgData;

It will copy number of bytes is multiple of 4.

for (databyte = 0; databyte < (cs->dataLen & ~3U); databyte += 4U)
{
FlexcanSwapBytesInWord(msgData_32[databyte >> 2U], flexcan_mb_data_32[databyte >> 2U]);
}

Then, copy number of remaining bytes.

for ( ; databyte < cs->dataLen; databyte++)
{
flexcan_mb_data[FlexcanSwapBytesInWordIndex(databyte)] = msgData[databyte];
}

So, I didn't see problem here.

Best regards,

Nhi

nxf47685 · ‎02-19-2023

Hi Nhi

thanks for your attention and confirmation, I will provide this feedback to our FAE and customer!

Regards

Minghong