AgentSkillsCN

Embedded C

嵌入式 C

SKILL.md
--- frontmatter
skill_id: FW-EMBEDDED-C
version: 1.0.0
last_updated: 2026-01-04
applies_to: [Class A, Class B, Class C]
jurisdiction: [Global]
prerequisites: [ARCH-DEFENSIVE, ARCH-SAFETY-CLASS]

Embedded C Coding Standards for Medical Devices

Purpose

Define C coding practices aligned with MISRA C and medical device safety needs: type safety, control flow, memory management, interrupts, and static analysis.

When to Apply

  • All C firmware code for safety-related device functions.
  • New modules, refactors, or code reviews affecting safety classes.

Requirements (testable)

  1. Types: Use fixed-width integers (uint32_t, etc.); avoid implicit type promotions; enable warnings-as-errors (-Wall -Wextra -Werror). Rationale: predictability.
  2. Const Correctness: Mark read-only data/parameters const; avoid casting away const. Rationale: prevent unintended mutation.
  3. Control Flow: No recursion; bounded loops; single exit per function preferred unless clarity dictates otherwise. Rationale: analyzability.
  4. Memory: Avoid dynamic allocation in safety-critical paths; prefer static or pooled allocation; no unchecked malloc. Rationale: determinism.
  5. Pointer Safety: No pointer arithmetic on unrelated objects; check for null before deref; avoid double-free; restrict casts. Rationale: memory safety.
  6. Interrupt Safety: ISRs minimal, no blocking, defer work to threads; protect shared data with proper primitives; volatile on shared flags. Rationale: correctness under concurrency.
  7. Complexity: Maintain function size and cyclomatic complexity within agreed limits; refactor large functions. Rationale: testability and reviewability.
  8. Includes & Headers: Use include guards; separate interface in headers; no hidden macros; document ownership of globals. Rationale: clarity and hygiene.
  9. Static Analysis: Run MISRA checks and SAST; address findings or document justified deviations. Rationale: defect prevention.

Recommended Practices

  • Use static inline for simple accessors; minimize macros.
  • Prefer enums over macros for states/constants; ensure exhaustive switch.
  • Keep module-level ownership clear; avoid global mutable state.
  • Use static_assert for sizes and assumptions where compiler supports.
  • Document timing constraints near code (e.g., ISR max latency).

Patterns

Fixed-width types and const:

c
// REQ-C-TYPE-01; TEST-C-01
static uint32_t sum_samples(const uint16_t *samples, size_t n) {
    uint32_t acc = 0U;
    for (size_t i = 0; i < n; i++) {
        acc += samples[i];
    }
    return acc;
}

Static buffer, no malloc:

c
// REQ-C-MEM-02; TEST-C-05
static uint8_t rx_buf[128];
size_t uart_read_safe(uint8_t *out, size_t max_len) {
    size_t n = uart_read(rx_buf, sizeof(rx_buf));
    if (n > max_len) n = max_len;
    memcpy(out, rx_buf, n);
    return n;
}

ISR defers work:

c
// REQ-C-ISR-03; TEST-C-10
volatile bool g_data_ready = false;
void UART_IRQHandler(void) {
    clear_irq();
    g_data_ready = true; // minimal work
}

Anti-Patterns (risks)

  • Heap allocation in control loops -> risk: fragmentation, failure to allocate.
  • Recursion or unbounded loops -> risk: stack overflow, non-termination.
  • Large ISRs doing I/O or blocking -> risk: missed deadlines, priority inversion.
  • Implicit int/enum conversions without checks -> risk: overflow/undefined behavior.
  • Ignoring MISRA/SAST findings -> risk: latent defects.

Verification Checklist

  • Fixed-width types used; warnings as errors enabled.
  • Const correctness applied; no casts removing const without justification.
  • No recursion; loops bounded; complexity within limits.
  • No dynamic allocation in safety paths; pools/static used; no unchecked malloc.
  • Pointer use validated; null checks present; casts justified.
  • ISRs minimal; shared data protected; volatile flags used where appropriate.
  • Headers guarded; interfaces clean; globals ownership documented.
  • MISRA/static analysis run; deviations documented; findings resolved.

Traceability

  • Tag requirements as REQ-C-###; link to unit tests TEST-C-### and MISRA deviation records.
  • Store tool reports with build artifacts for the release.

References

  • MISRA C:2012 with Amendment 1 (2016), Amendment 2 (2020), and Amendment 3 (2024) guidelines.
  • MISRA C:2023 (Third Edition) - consider for new projects.
  • IEC 62304 implementation discipline expectations.
  • SEI CERT C (informative).

Changelog

  • 1.0.1 (2026-01-04): Audit correction - updated MISRA C references to include all amendments and MISRA C:2023.
  • 1.0.0 (2026-01-04): Initial embedded C skill with MISRA-aligned rules, ISR handling, and static analysis.

Audit History

  • 2026-01-04: Audit performed. Corrections:
    • MISRA C:2012 Amendment 2 reference expanded to include all amendments (1, 2, 3)
    • Added reference to MISRA C:2023 (Third Edition)
    • Code examples verified for C11 compliance and MISRA alignment