Uninitialialized variable warning in cmsis_armcc.h

Question

When I run a static analysis (codesonar) tool, I get security issues related to an uninitialized variable in the cmsis_armcc.h file for the following code:

__STATIC_INLINE uint32_t __get_CONTROL(void)
{
  register uint32_t __regControl __ASM("control");
  return(__regControl);
}

The issue is that cmsis_armcc.h is a read-only file in the Keil IDE. Are there any ways I can resolve this issue? I would appreciate any suggestions.compiler : ARM Compiler version 5.06 update 7 Thank you in advance!

Answer 1

Solutions include:

• provide a fake cmsis_armcc.h for static analysis. It does not need the real one and the include paths for static analysis been not the same as for compilation
• instruct the static analysis tool to ignore issues in cmsis_armcc.h

It is normal in static analysis to set all third-party provided files to ignore or provide stubs. They typically include system level code that would be ill-advised in user code, and often employ platform specific compiler extensions and directives that may not be recognised by the analyser. I would be surprised if this were the only system file that your analyser would have trouble with, so you need a global solution.

For the first option, copy the real file to a static analysis specific header path, and modify it as necessary. For the second, that will be specific to your tool, as will the means if providing system include paths for the first.

Given that many of these system files are deeply nested and numerous, I would favour the first option, but there may be syntax and extensions in this code that defeats the analyser. That can often be dealt with by defining macros for confounding code so that it is replaced by the preprocessor with something benign before analysis.