Skip to content

refactor: S10.13 Security policies + CRC + Sync primitives conformance#384

Merged
DavidCozens merged 3 commits into
mainfrom
refactor/s10-13-security-crc-sync-conformance
May 17, 2026
Merged

refactor: S10.13 Security policies + CRC + Sync primitives conformance#384
DavidCozens merged 3 commits into
mainfrom
refactor/s10-13-security-crc-sync-conformance

Conversation

@DavidCozens

@DavidCozens DavidCozens commented May 17, 2026

Copy link
Copy Markdown
Owner

Purpose

Second per-group conformance story in E10, applying the S10.12 pilot recipe to the Security policies + CRC + Sync primitives group. Resolves all warning-mode findings raised by analyze-tidy and analyze-cppcheck (with the cppcheck-misra addon) against the files listed under Areas Affected.

Closes #383

Change Description

MISRA fixes — 3 new findings, each reviewed per-site

Rule Site Fix
5.9 Core/Source/SolidSyslogNullMutex.c:10 (bare instance collided with same name in NullSecurityPolicy and Crc16Policy) Renamed to NullMutex_Instance per the S10.08 / S10.12 <Class>_Instance convention. Couldn't move into _Create because _Destroy also touches it.
8.9 (advisory) Core/Source/SolidSyslogNullSecurityPolicy.c:24 (file-scope static instance only read in _Create) Moved into _Create as a block-scope static, matching the S10.12 QUEUE_NAME_PREFIX recipe.
8.9 (advisory) Core/Source/SolidSyslogCrc16Policy.c:17 (same pattern) Same fix — moved into _Create.

No new deviations. No new cppcheck-suppress inline comments. No count bumps to existing deviations (D.002 11.3 mutex casts / D.003 5.7 tag-name / D.010 2.4 anonymous-enum) — no new sites accrued.

CRC-16 inner-loop review

SolidSyslogCrc16.c was already MISRA-clean, so this was a deliberate "walk the loop and decide whether to tighten anything anyway" pass. Three small changes:

// before
for (int bit = 0; bit < BITS_PER_BYTE; bit++)
{
    if ((crc & MSB_MASK) != 0)

// after
for (uint_fast8_t bit = 0; bit < 8U; bit++)
{
    if ((crc & MSB_MASK) != 0U)
  • int bituint_fast8_t bit — match the comparand's unsigned essential type.
  • != 0!= 0U — U-suffixed literal style (S10.10 convention).
  • Dropped the BITS_PER_BYTE = 8U enum constant; inlined the literal.

The last one needed thinking — switching the loop variable to uint_fast8_t unmasked clang-tidy's bugprone-too-small-loop-variable, because anonymous-enum constants in C have essential type int regardless of the U suffix. clang-tidy compared the 8-bit loop variable against the 32-bit int enum bound and flagged it. Three options weighed (inline the literal; promote the constant to static const uint8_t; widen the loop variable to unsigned) — chose inline-the-literal because BITS_PER_BYTE was a one-use named constant whose meaning is self-evident from the surrounding CRC code. The other CRC enum constants (CRC16_CCITT_INIT, CRC16_CCITT_POLY, MSB_MASK) carry non-obvious values and retain their names.

Full discussion in DEVLOG.md.

Test Evidence

This is MISRA-conformance refactoring with no behaviour change — the bar is "existing tests stay green, gates clean".

Ran locally under the dev container:

  • cmake --preset debug && cmake --build --preset debug --target junit1122 tests, 0 failures
  • cmake --preset clang-debug && cmake --build --preset clang-debug --target junit → clean, 1122 ran
  • cmake --preset sanitize && cmake --build --preset sanitize --target junit → clean, 1122 ran
  • cmake --preset tidy && cmake --build --preset tidy0 findings
  • cmake --preset coverage && cmake --build --preset coverage --target coverage100% line coverage on every Linux-buildable file in scope
  • Standalone non-MISRA cppcheck Core/Source/ → clean (0 findings)
  • Full-tree cppcheck --addon=misrazero findings on S10.13 scope files
  • clang-format --dry-run --Werror on edited files → clean

Windows / BDD / OpenSSL integration jobs are CI's responsibility per the CLAUDE.md workflow note.

Areas Affected

Edited:

  • Core/Source/SolidSyslogCrc16.c
  • Core/Source/SolidSyslogCrc16Policy.c
  • Core/Source/SolidSyslogNullMutex.c
  • Core/Source/SolidSyslogNullSecurityPolicy.c
  • DEVLOG.md

In scope but already clean (no edits required):

  • Core/Interface/SolidSyslogSecurityPolicyDefinition.h
  • Core/Interface/SolidSyslogNullSecurityPolicy.h
  • Core/Interface/SolidSyslogCrc16.h
  • Core/Interface/SolidSyslogCrc16Policy.h
  • Core/Interface/SolidSyslogMutex.h
  • Core/Interface/SolidSyslogMutexDefinition.h
  • Core/Interface/SolidSyslogNullMutex.h
  • Core/Source/SolidSyslogMutex.c
  • Platform/Posix/Interface/SolidSyslogPosixMutex.h
  • Platform/Posix/Source/SolidSyslogPosixMutex.c
  • Platform/Windows/Interface/SolidSyslogWindowsMutex.h
  • Platform/Windows/Source/SolidSyslogWindowsMutex.c
  • Platform/FreeRtos/Interface/SolidSyslogFreeRtosMutex.h
  • Platform/FreeRtos/Source/SolidSyslogFreeRtosMutex.c

Summary by CodeRabbit

  • Refactor

    • Optimized internal implementations across security policy, CRC computation, and synchronization modules for improved code organization and maintainability.
  • Documentation

    • Added development log entry documenting recent conformance work and code adjustments.

Review Change Stack

Three new findings surfaced by cppcheck-misra in the S10.13 group:

- NullMutex.c:10 (5.9) — bare `instance` collides with same-named statics in
  NullSecurityPolicy.c and Crc16Policy.c. Renamed to `NullMutex_Instance` per
  the S10.08 / S10.12 `<Class>_Instance` convention. Can't move into _Create
  because _Destroy also touches it.

- NullSecurityPolicy.c:24 (8.9) — file-scope `static instance` only read in
  _Create. Moved into _Create as a block-scope static.

- Crc16Policy.c:17 (8.9) — same pattern, same fix.

No new deviations, no new cppcheck-suppress comments. Full-tree
cppcheck-misra clean on the three files post-edit; clang-tidy clean
tree-wide; 1122 unit tests pass.
Three small changes reviewed point-by-point in the CRC-16 inner loop:

- `int bit` → `uint_fast8_t bit` — match the comparand's unsigned essential
  type. cppcheck-misra's chosen 10.4 subset doesn't flag the signed/unsigned
  mix in for-loop bounds, but it's still the right type.

- `!= 0` → `!= 0U` — match the U-suffixed literal style used elsewhere in
  the file (S10.10 sweep convention).

- Drop the `BITS_PER_BYTE = 8U` enum constant; use literal `8U` inline.
  The named constant was used in exactly one place — the bit-iteration
  loop — and its meaning is self-evident from the surrounding CRC code.
  Dropping it also sidesteps clang-tidy's bugprone-too-small-loop-variable
  warning that fired when the new `uint_fast8_t` loop variable was compared
  against an anonymous-enum constant typed as `int`. The other enum
  constants (CRC16_CCITT_INIT / CRC16_CCITT_POLY / MSB_MASK) carry
  non-obvious values and retain their names.

Gates: tidy clean, cppcheck-misra clean on S10.13 scope, 1122 tests pass.
@coderabbitai

coderabbitai Bot commented May 17, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

This PR addresses MISRA conformance findings in the security policies, CRC, and sync primitives group by refining loop variable types, relocating static instances into factory functions, and explicitly managing function pointer lifecycles across create/destroy operations.

Changes

MISRA Conformance: Security Policies, CRC, and Sync Primitives

Layer / File(s) Summary
CRC-16 loop variable type and constant refactoring
Core/Source/SolidSyslogCrc16.c
The inner bit-processing loop now iterates using uint_fast8_t over literal 8U instead of using an int bounded by the removed BITS_PER_BYTE enum constant. CRC computation logic (MSB check, shift, conditional XOR) is preserved.
Security policy factory static instance refactoring
Core/Source/SolidSyslogCrc16Policy.c, Core/Source/SolidSyslogNullSecurityPolicy.c
Static SolidSyslogSecurityPolicy instances moved from file scope into SolidSyslogCrc16Policy_Create() and SolidSyslogNullSecurityPolicy_Create() as function-local statics. Initialization values and return addresses remain unchanged.
Null mutex pointer initialization and cleanup
Core/Source/SolidSyslogNullMutex.c
Static mutex storage renamed to NullMutex_Instance; SolidSyslogNullMutex_Create() now explicitly assigns Lock and Unlock function pointers, and SolidSyslogNullMutex_Destroy() clears them. No-op implementations unchanged.
Conformance work documentation
DEVLOG.md
New entry documenting S10.13 MISRA remediation, CRC-16 loop adjustments, cppcheck-misra observations, and CI gate outcomes (tidy, build, test, coverage, cppcheck).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • DavidCozens/solid-syslog#376: Updates to SolidSyslogCrc16_Compute() and removal of BITS_PER_BYTE constant overlap with prior CRC-16 loop refactoring.

Poem

🐰 A loop that now counts straight and true,
Eight bits fast, not slow like old glue.
Statics tucked in their proper place,
Pointers managed with style and grace.
MISRA smiles at conformance found! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'refactor: S10.13 Security policies + CRC + Sync primitives conformance' clearly and specifically describes the main change: applying MISRA conformance refactoring to a named set of components, matching the scope and purpose of the PR.
Description check ✅ Passed The PR description includes all required sections: Purpose (linked issue #383), Change Description (detailed MISRA fixes and CRC improvements with rationale), Test Evidence (comprehensive local testing results), and Areas Affected (edited and in-scope files listed).
Linked Issues check ✅ Passed The PR comprehensively addresses issue #383 objectives: all three MISRA findings (5.9, 8.9 on two files) are fixed per-site with documented rationale, CRC-16 loop improvements are deliberate and justified, test gates pass (1122 tests, zero tidy/cppcheck findings), and no new deviations are introduced [#383].
Out of Scope Changes check ✅ Passed All changes align with #383 scope: MISRA fixes on listed Core source files, deliberate CRC-16 loop tightening, and DEVLOG documentation. No cross-group findings, platform files, or unrelated refactoring are included.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/s10-13-security-crc-sync-conformance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@DEVLOG.md`:
- Around line 52-53: Update the DEVLOG note that currently calls uint_fast8_t
"8-bit" to state it is "at least 8 bits" (or similar wording) so it reflects the
C guarantee that uint_fast8_t may be wider on many targets; locate the sentence
mentioning uint_fast8_t in the paragraph around the existing text and replace
"8-bit `uint_fast8_t`" with "at least 8-bit `uint_fast8_t`" or "minimum 8-bit
`uint_fast8_t`" to clarify the guarantee.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 837a74d9-a35f-4031-b2eb-905fc4576b21

📥 Commits

Reviewing files that changed from the base of the PR and between f91f20f and 860a465.

📒 Files selected for processing (5)
  • Core/Source/SolidSyslogCrc16.c
  • Core/Source/SolidSyslogCrc16Policy.c
  • Core/Source/SolidSyslogNullMutex.c
  • Core/Source/SolidSyslogNullSecurityPolicy.c
  • DEVLOG.md

Comment thread DEVLOG.md
Comment on lines +52 to +53
their literal. clang-tidy compared the 8-bit `uint_fast8_t`
variable against the 32-bit `int` bound and flagged it. Three fixes

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In C99/C11/C17, is uint_fast8_t guaranteed to be exactly 8 bits, or only at least 8 bits?

💡 Result:

In C99, C11, and C17, the type uint_fast8_t is guaranteed to be an unsigned integer type with a width of at least 8 bits [1][2][3]. It is not guaranteed to be exactly 8 bits [4][5]. The C standard defines uint_fastN_t as the fastest unsigned integer type available on the implementation that has a width of at least N bits [1][3]. Because the implementation may choose a larger type (such as 16, 32, or 64 bits) if it is more efficient for the target architecture's word size or alignment requirements, uint_fast8_t can be wider than 8 bits [4][5]. In contrast, the type uint8_t is defined as an unsigned integer type with a width of exactly 8 bits, but it is an optional type and is not guaranteed to be provided by all implementations [2][6]. If an implementation does not support an 8-bit type, uint8_t will not be defined, whereas uint_fast8_t and uint_least8_t are required to be provided [1][4][3].

Citations:


🏁 Script executed:

head -60 DEVLOG.md | tail -20

Repository: DavidCozens/solid-syslog

Length of output: 1010


Correct uint_fast8_t description from "8-bit" to at least 8 bits.

At lines 52–53, the note describes uint_fast8_t as "8-bit". In C, uint_fast8_t is guaranteed to be at least 8 bits and may be wider (16, 32, or 64 bits) on many targets. The phrasing is misleading in technical documentation.

Consider clarifying:

Proposed revision
-  their literal. clang-tidy compared the 8-bit `uint_fast8_t`
-  variable against the 32-bit `int` bound and flagged it. Three fixes
+  their literal. clang-tidy compared the `uint_fast8_t` variable
+  (which may be wider than 8 bits depending on the target) against
+  the `int`-typed bound and flagged it. Three fixes
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
their literal. clang-tidy compared the 8-bit `uint_fast8_t`
variable against the 32-bit `int` bound and flagged it. Three fixes
their literal. clang-tidy compared the `uint_fast8_t` variable
(which may be wider than 8 bits depending on the target) against
the `int`-typed bound and flagged it. Three fixes
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@DEVLOG.md` around lines 52 - 53, Update the DEVLOG note that currently calls
uint_fast8_t "8-bit" to state it is "at least 8 bits" (or similar wording) so it
reflects the C guarantee that uint_fast8_t may be wider on many targets; locate
the sentence mentioning uint_fast8_t in the paragraph around the existing text
and replace "8-bit `uint_fast8_t`" with "at least 8-bit `uint_fast8_t`" or
"minimum 8-bit `uint_fast8_t`" to clarify the guarantee.

@github-actions

Copy link
Copy Markdown
Contributor

☀️   Quality Summary

   🚦   build-linux-gcc: 100% successful (✔️ 1126 passed, 🙈 2 skipped)
   🚦   build-freertos-host-tdd: 100% successful (✔️ 1246 passed, 🙈 2 skipped)
   🚦   build-linux-clang: 100% successful (✔️ 1078 passed, 🙈 2 skipped)
   🚦   sanitize-linux-gcc: 100% successful (✔️ 1078 passed, 🙈 2 skipped)
   🚦   integration-linux-openssl: 100% successful (✔️ 9 passed)
   🚦   integration-windows-openssl: 100% successful (✔️ 9 passed)
   🚦   bdd-linux-syslog-ng: 94% successful (✔️ 46 passed, 🙈 3 skipped)
   🚦   bdd-windows-otel: 90% successful (✔️ 44 passed, 🙈 5 skipped)
   🚦   bdd-freertos-qemu: 73% successful (✔️ 36 passed, 🙈 13 skipped)
   🚦   build-windows-msvc: 100% successful (✔️ 982 passed, 🙈 1 skipped)
   🚦   build-linux-tunable-override: 100% successful (✔️ 1078 passed, 🙈 2 skipped)
   ⚠️   Clang-Tidy: 8 warnings (normal: 8)
   ⚠️   CPPCheck: No warnings


Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result.

@DavidCozens DavidCozens merged commit e5c4d8d into main May 17, 2026
20 checks passed
@DavidCozens DavidCozens deleted the refactor/s10-13-security-crc-sync-conformance branch May 17, 2026 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

S10.13: Security policies + CRC + Sync primitives conformance

1 participant