Goal Structuring Notation — cJSON Safety Case¶
GSN Safety Case — cJSON v1.7.19 SEooC (ISO 26262-10:2018)¶
The following safety case is structured using the Goal Structuring Notation (GSN) and targets ISO 26262-10:2018 SEooC qualification of cJSON v1.7.19 for ASIL D integration. Goals are linked to their supporting strategies, sub-goals, and solutions (evidence). Context elements capture the Assumptions of Use from Lifecycle Management.
Top-Level Goal¶
Safety Case: cJSON v1.7.19 is sufficiently safe to be integrated as a Safety Element out of Context (SEooC) into an ASIL D automotive system, subject to the Assumptions of Use defined in LM_AOU_CONTEXT through LM_AOU_TOOLCHAIN. SC_CJSON_SAFE
|
Parsing Safety¶
Safety Case: cJSON correctly parses all valid JSON (RFC 8259) and deterministically rejects all malformed inputs. SC_PARSE_SAFETY
|
162 Unity tests covering parsing edge cases, including malformed JSON, deep nesting, and boundary conditions. The test suite passes under standard and ASan+UBSan instrumented builds. Evidence: Execute the full cJSON test... (VER_CJSON_TEST_SUITE). Fuzzing campaign planned: Fuzz-test the cJSON parser ... (VER_CJSON_FUZZING). |
Memory Safety¶
Safety Case: cJSON is free from memory errors (heap corruption, use-after-free, double-free, buffer overrun, uninitialized reads). SC_MEMORY_SAFETY
|
ASan+UBSan instrumentation on full test suite returns CLEAN — no heap out-of-bounds, use-after-free, or stack buffer overflow. ASan’s LeakSanitizer detects memory leaks. A Valgrind/Memcheck gap is documented with ASan mitigation (see Gap Documentation). Evidence: Run AddressSanitizer (ASan)... (VER_CJSON_SANITIZERS), Run Valgrind/Memcheck on th... (VER_CJSON_VALGRIND). |
Undefined Behavior Freedom¶
Safety Case: cJSON does not invoke undefined behavior for any input, including integer overflow, NULL dereference, and malformed data. SC_NO_UB
|
UBSan integer+pointer checks return CLEAN on full test suite.
Arithmetic audit (Audit integer operations in... (VER_CJSON_ARITH)) confirms no signed overflow
in parse_number/print_number. NULL-pointer safety verified by dedicated
test cases (Verify NULL-pointer safety ... (VER_CJSON_API)). Compiler warning audit with
Evidence: Run AddressSanitizer (ASan)... (VER_CJSON_SANITIZERS), Audit integer operations in... (VER_CJSON_ARITH), Verify NULL-pointer safety ... (VER_CJSON_API), The qualified build uses a ... (IMPL_BUILD). |
Verification Completeness¶
Safety Case: All safety requirements are verified with adequate coverage and documented evidence suitable for ISO 26262-8 audit. SC_VERIFICATION_COMPLETE
|
Statement coverage 88.1% (1,788/2,029 lines), function coverage 98.7%
(149/151). All uncovered branches are in error-recovery paths (malloc
failure, depth limit) justified via Measure statement and branc... (VER_CJSON_COVERAGE).
Static analysis (cppcheck Evidence: Measure statement and branc... (VER_CJSON_COVERAGE), Measure cyclomatic complexi... (VER_CJSON_COMPLEXITY), Run static analysis (cppche... (VER_CJSON_STATIC). |
Context¶
Per ISO 26262-10:2018 §6.4.3, the following Assumptions of Use apply to the cJSON SEooC qualification:
See: AoU-1 (Integration Context)... (LM_AOU_CONTEXT), AoU-2 (Input Constraints): ... (LM_AOU_INPUTS), AoU-3 (Threading Model): cJ... (LM_AOU_THREADING), AoU-4 (Error Handling): The... (LM_AOU_ERROR), AoU-5 (Toolchain): The inte... (LM_AOU_TOOLCHAIN). |