nav_sensor.c(412): error 4150: (Severe -- Semantic dataflow) Pointer 'temp_ptr' derived from 'sensor_buffer + offset' where offset is tainted by unvalidated CAN bus input (path: can_rx_handler -> validate_crc -> extract_payload -> compute_offset). Alias set analysis shows 'temp_ptr' and 'calib_ptr' may converge after loop unrolling at line 408, leading to write-write conflict when temperature exceeds 85°C. [Reference: CWE-123, MISRA C:2023 Rule 11.9] Eleanor froze. She scrolled up. The analyzer had traced a data flow across seven functions, through three files, and had identified not just a memory corruption, but the exact temperature threshold where it would manifest.
for (int i = 0; i < SENSOR_HISTORY; i++) { temp_ptr = &sensor_buffer[(offset + i) % BUFSZ]; calib_ptr = &calib_table[temp_ptr->raw >> 2]; if (temp_ptr->value > 85.0) { *calib_ptr = apply_emergency_curve(temp_ptr->value); // here } } The aliasing was invisible to human eyes and to ordinary linters. But temp_ptr and calib_ptr could, under specific unrolling, point to overlapping memory if offset was maliciously crafted. The write to calib_ptr would then corrupt the next sensor’s buffer, causing a silent overflow.
Hank sighed. “Try the nuclear option. You know the budget we’re on, but... request a temporary license for PC-lint Plus SE.”
“We can’t. But we also can’t afford a drone that falls out of the sky. I’ll pull strings.” Two hours later, a license file landed in her inbox. Eleanor downloaded the tool, a command-line beast with no GUI, just a configuration file that looked like an ancient spellbook. She spent the next hour tuning it: setting the dialect to C17, enabling MISRA C:2023, turning on the aggressive interprocedural analysis, and—her final gambit—flipping on . pc-lint plus se
Her manager, a pragmatist named Hank, hovered over her shoulder. “The client wants a root cause by Friday. We can’t keep respinning the hardware.”
“That’s it,” she whispered.
She pointed PC-lint Plus SE at the flight control module’s core file: nav_sensor.c . nav_sensor
“The issue isn’t the hardware,” Eleanor said, rubbing her eyes. “It’s the software. There’s a pointer dereference that only corrupts memory when the temperature sensor hits a specific threshold. I’ve run every static analyzer we own. Nothing catches it.”
“I thought we couldn’t afford the SE tier,” she said.
The drone stayed stable. On Friday, Eleanor presented the root cause to the client. Hank sat in the back, arms crossed, smiling faintly. After the meeting, Eleanor walked to his desk. She scrolled up
“Can we keep the license?”
In the fluorescent-lit cubicle of a mid-sized aerospace firm, Eleanor, a senior embedded systems engineer, stared at her screen. On it, a flight control module for a new drone was failing its hardware-in-the-loop test for the third time. The code was old, inherited from a defunct contractor, and riddled with subtle bugs that only appeared after seventeen hours of run-time.
She fixed the loop by adding a restrict qualifier and a bounds check on offset . Recompiled. Ran the hardware-in-the-loop test. Seventeen hours passed. Twenty. Thirty.
That night, as she packed up, Eleanor looked at her terminal—still open, still showing PC-lint Plus SE’s final summary: