Goal Structuring Notation — cJSON Safety Case

@startuml
' Auto-generated by OSQAr — GSN safety case (PlantUML)
'
skinparam backgroundColor #FEFEFE
skinparam defaultFontSize 10
skinparam defaultTextAlignment center
skinparam ArrowColor #333333

' Shape styling
skinparam rectangle {
  BorderColor #2E7D32
  BackgroundColor #C8E6C9
}
skinparam node {
  BorderColor #E65100
  BackgroundColor #FFE0B2
}
skinparam circle {
  BorderColor #1565C0
  BackgroundColor #BBDEFB
}

' ==================================================================
' GSN SAFETY CASE
' ==================================================================

rectangle "**SC_CJSON_SAFE**\ncJSON v1.7.19 is sufficiently safe to be\nintegrated as a Safety Element out of Context\n(SEooC) into an ASIL D automotive system,\nsubject to the Assumptions of Use defined in\nLM_AOU_CONTEXT through LM_AOU_TOOLCHAIN." as SC_CJSON_SAFE <<goal>> #C8E6C9
rectangle "**LM_AOU_CONTEXT**\nAoU-1 (Integration Context): cJSON is\nintegrated as a stateless library in an ASIL\nD ECU context. All state is caller-owned\n(cJSON* pointers). The integrator provides a\nqualified memory allocator via\ncJSON_InitHooks." as LM_AOU_CONTEXT <<context>> #B3E0F2
SC_CJSON_SAFE .right.> LM_AOU_CONTEXT : context
rectangle "**LM_AOU_ERROR**\nAoU-4 (Error Handling): The integrator shall\ncheck all cJSON return values for error\nindicators (NULL from parse/create functions,\ncJSON_False from boolean returns). Unchecked\nerror paths are the integrator's\nresponsibility." as LM_AOU_ERROR <<context>> #B3E0F2
SC_CJSON_SAFE .right.> LM_AOU_ERROR : context
rectangle "**LM_AOU_INPUTS**\nAoU-2 (Input Constraints): JSON inputs\nprocessed through cJSON shall not exceed\nCJSON_NESTING_LIMIT (1000) depth. Maximum\nsingle string length is bounded by available\nmemory. Inputs originate from a trusted or\nintegrity-checked source (validated at system\nlevel before reaching cJSON)." as LM_AOU_INPUTS <<context>> #B3E0F2
SC_CJSON_SAFE .right.> LM_AOU_INPUTS : context
rectangle "**LM_AOU_THREADING**\nAoU-3 (Threading Model): cJSON is not\nthread-safe and shall be used from a single\nthread of control or externally synchronized\nby the integrator." as LM_AOU_THREADING <<context>> #B3E0F2
SC_CJSON_SAFE .right.> LM_AOU_THREADING : context
rectangle "**LM_AOU_TOOLCHAIN**\nAoU-5 (Toolchain): The integrator shall\nreproduce the qualification build with the\naudited toolchain version and compiler flags.\nBinary equivalence or semantic equivalence\nshall be demonstrated." as LM_AOU_TOOLCHAIN <<context>> #B3E0F2
SC_CJSON_SAFE .right.> LM_AOU_TOOLCHAIN : context
usecase "**SC_AOU_CONTEXT**\nSEooC Assumptions of Use" as SC_AOU_CONTEXT <<assumption>> #FFF9C4
SC_CJSON_SAFE .right.> SC_AOU_CONTEXT : context
node "**ST1**\nArgument by\n4 safety goals" as ST1 <<strategy>> #FFE0B2
SC_CJSON_SAFE -down-> ST1 : supported by
rectangle "**SC_PARSE_SAFETY**\ncJSON correctly parses all valid JSON (RFC 8259)\nand deterministically rejects all malformed\ninputs." as SC_PARSE_SAFETY <<goal>> #C8E6C9
ST1 -down-> SC_PARSE_SAFETY
circle "**VER_CJSON_FUZZING**\nFuzz-test the cJSON parser with\nAFL++ or libFuzzer for a minimum of\n24 CPU-hours. All crashes, hangs,\nand assertion failures shall be\ntriaged and resolved." as VER_CJSON_FUZZING <<solution>> #BBDEFB
SC_PARSE_SAFETY .down.> VER_CJSON_FUZZING : evidence
circle "**VER_CJSON_TEST_S...**\nExecute the full cJSON test suite\n(unit tests for parser, printer,\nutilities, RFC conformance) and\nconfirm all tests pass with zero\nfailures." as VER_CJSON_TEST_SUITE <<solution>> #BBDEFB
SC_PARSE_SAFETY .down.> VER_CJSON_TEST_SUITE : evidence
rectangle "**REQ_CJSON_PARSE_VALID**\nThe cJSON parser shall accept all valid\nJSON texts as defined by RFC 8259 and\nreject all malformed inputs with a\ndeterministic error state." as REQ_CJSON_PARSE_VALID <<requirement>> #FFF9C4
SC_PARSE_SAFETY .right.> REQ_CJSON_PARSE_VALID : context
rectangle "**SC_NO_UB**\ncJSON does not invoke undefined behavior for any\ninput, including integer overflow, NULL\ndereference, and malformed data." as SC_NO_UB <<goal>> #C8E6C9
ST1 -down-> SC_NO_UB
circle "**VER_CJSON_API**\nVerify NULL-pointer safety by\nconstructing test cases that pass\nNULL to every public API function\nand confirming deterministic error\nreturns." as VER_CJSON_API <<solution>> #BBDEFB
SC_NO_UB .down.> VER_CJSON_API : evidence
circle "**VER_CJSON_ARITH**\nAudit integer operations in\nparse_number, print_number, and\nbuffer-size computation for signed\noverflow and wraparound\nvulnerabilities. Verify with UBSan\ninteger checks." as VER_CJSON_ARITH <<solution>> #BBDEFB
SC_NO_UB .down.> VER_CJSON_ARITH : evidence
circle "**VER_CJSON_SANITI...**\nRun AddressSanitizer (ASan) and\nUndefinedBehaviorSanitizer (UBSan)\ninstrumented test builds to detect\nruntime memory errors and undefined\nbehavior." as VER_CJSON_SANITIZERS <<solution>> #BBDEFB
SC_NO_UB .down.> VER_CJSON_SANITIZERS : evidence
rectangle "**REQ_CJSON_NO_UB**\nThe library shall not invoke undefined\nbehavior for any input, including\nmalformed JSON, integer overflow in\ndepth/buffer-size parameters, and NULL\npointer arguments." as REQ_CJSON_NO_UB <<requirement>> #FFF9C4
SC_NO_UB .right.> REQ_CJSON_NO_UB : context
rectangle "**SC_MEMORY_SAFETY**\ncJSON is free from memory errors (heap\ncorruption, use-after-free, double-free, buffer\noverrun, uninitialized reads)." as SC_MEMORY_SAFETY <<goal>> #C8E6C9
ST1 -down-> SC_MEMORY_SAFETY
circle "**VER_CJSON_VALGRI...**\nRun Valgrind/Memcheck on the test\nsuite to verify absence of memory\nleaks, use-after-free,\nuninitialized reads, and invalid\nmemory accesses." as VER_CJSON_VALGRIND <<solution>> #BBDEFB
SC_MEMORY_SAFETY .down.> VER_CJSON_VALGRIND : evidence
rectangle "**REQ_CJSON_MEMORY_SAFE**\nAll memory allocations shall be checked\nfor failure. Any failed allocation shall\nresult in a deterministic error return\n(NULL) without undefined behavior." as REQ_CJSON_MEMORY_SAFE <<requirement>> #FFF9C4
SC_MEMORY_SAFETY .right.> REQ_CJSON_MEMORY_SAFE : context
rectangle "**SC_VERIFICATION_COMPLETE**\nAll safety requirements are verified with\nadequate coverage and documented evidence suitable\nfor ISO 26262-8 audit." as SC_VERIFICATION_COMPLETE <<goal>> #C8E6C9
ST1 -down-> SC_VERIFICATION_COMPLETE
circle "**VER_CJSON_COMPLE...**\nMeasure cyclomatic complexity of\nall cJSON functions. Functions\nexceeding McCabe 15 shall be\nreviewed and justifications\ndocumented." as VER_CJSON_COMPLEXITY <<solution>> #BBDEFB
SC_VERIFICATION_COMPLETE .down.> VER_CJSON_COMPLEXITY : evidence
circle "**VER_CJSON_COVERA...**\nMeasure statement and branch\ncoverage of the test suite on the\ncJSON source. Target: ≥ 90%\nstatement coverage, ≥ 80% branch\ncoverage. Document uncovered\nbranches with safety\njustifications." as VER_CJSON_COVERAGE <<solution>> #BBDEFB
SC_VERIFICATION_COMPLETE .down.> VER_CJSON_COVERAGE : evidence
rectangle "**REQ_CJSON_TRACEABILITY**\nAll safety requirements shall be\ntraceable to verification activities,\nand all verification activities shall\nproduce documentation artifacts suitable\nfor ISO 26262-8:2018 Clause 9\n(Verification) audit." as REQ_CJSON_TRACEABILITY <<requirement>> #FFF9C4
SC_VERIFICATION_COMPLETE .right.> REQ_CJSON_TRACEABILITY : context

note bottom of SC_CJSON_SAFE
  <color:green>■</color> Goal  <color:orange>⬡</color> Strategy  <color:blue>●</color> Solution  <color:cyan>■</color> Context
end note

@enduml

GSN Safety Case — cJSON v1.7.19 SEooC (ISO 26262-10:2018)

The following safety case is structured using the Goal Structuring Notation (GSN) and targets ISO 26262-10:2018 SEooC qualification of cJSON v1.7.19 for ASIL D integration. Goals are linked to their supporting strategies, sub-goals, and solutions (evidence). Context elements capture the Assumptions of Use from Lifecycle Management.

Top-Level Goal

Safety Case: cJSON v1.7.19 is sufficiently safe to be integrated as a Safety Element out of Context (SEooC) into an ASIL D automotive system, subject to the Assumptions of Use defined in LM_AOU_CONTEXT through LM_AOU_TOOLCHAIN. SC_CJSON_SAFE

Parsing Safety

Safety Case: cJSON correctly parses all valid JSON (RFC 8259) and deterministically rejects all malformed inputs. SC_PARSE_SAFETY
status: active
tags: safety-case, parsing
Safety Case: Solution: Parsing Evidence SC_PARSE_EVIDENCE
status: active
tags: safety-case, evidence, parsing
links outgoing: SC_PARSE_SAFETY

162 Unity tests covering parsing edge cases, including malformed JSON, deep nesting, and boundary conditions. The test suite passes under standard and ASan+UBSan instrumented builds.

Evidence: Execute the full cJSON test... (VER_CJSON_TEST_SUITE). Fuzzing campaign planned: Fuzz-test the cJSON parser ... (VER_CJSON_FUZZING).

Memory Safety

Safety Case: cJSON is free from memory errors (heap corruption, use-after-free, double-free, buffer overrun, uninitialized reads). SC_MEMORY_SAFETY
status: active
tags: safety-case, memory
Safety Case: Solution: Memory Safety Evidence SC_MEMORY_EVIDENCE
status: active
tags: safety-case, evidence, memory
links outgoing: SC_MEMORY_SAFETY

ASan+UBSan instrumentation on full test suite returns CLEAN — no heap out-of-bounds, use-after-free, or stack buffer overflow. ASan’s LeakSanitizer detects memory leaks. A Valgrind/Memcheck gap is documented with ASan mitigation (see Gap Documentation).

Evidence: Run AddressSanitizer (ASan)... (VER_CJSON_SANITIZERS), Run Valgrind/Memcheck on th... (VER_CJSON_VALGRIND).

Undefined Behavior Freedom

Safety Case: cJSON does not invoke undefined behavior for any input, including integer overflow, NULL dereference, and malformed data. SC_NO_UB
status: active
tags: safety-case, ub
Safety Case: Solution: UB Freedom Evidence SC_UB_EVIDENCE
status: active
tags: safety-case, evidence, ub
links outgoing: SC_NO_UB

UBSan integer+pointer checks return CLEAN on full test suite. Arithmetic audit (Audit integer operations in... (VER_CJSON_ARITH)) confirms no signed overflow in parse_number/print_number. NULL-pointer safety verified by dedicated test cases (Verify NULL-pointer safety ... (VER_CJSON_API)). Compiler warning audit with -Werror -Wconversion — zero warnings.

Evidence: Run AddressSanitizer (ASan)... (VER_CJSON_SANITIZERS), Audit integer operations in... (VER_CJSON_ARITH), Verify NULL-pointer safety ... (VER_CJSON_API), The qualified build uses a ... (IMPL_BUILD).

Verification Completeness

Safety Case: All safety requirements are verified with adequate coverage and documented evidence suitable for ISO 26262-8 audit. SC_VERIFICATION_COMPLETE
status: active
tags: safety-case, verification
Safety Case: Solution: Verification Completeness Evidence SC_VERIFICATION_EVIDENCE
status: active
tags: safety-case, evidence, coverage
links outgoing: SC_VERIFICATION_COMPLETE

Statement coverage 88.1% (1,788/2,029 lines), function coverage 98.7% (149/151). All uncovered branches are in error-recovery paths (malloc failure, depth limit) justified via Measure statement and branc... (VER_CJSON_COVERAGE). Static analysis (cppcheck --all --inconclusive) produces reviewed report. Complexity analysis: one function (parse_string, CC=18) exceeds McCabe 15 with documented justification.

Evidence: Measure statement and branc... (VER_CJSON_COVERAGE), Measure cyclomatic complexi... (VER_CJSON_COMPLEXITY), Run static analysis (cppche... (VER_CJSON_STATIC).

Context

Safety Case: SEooC Assumptions of Use SC_AOU_CONTEXT
status: active
tags: safety-case, context, aou
links outgoing: SC_CJSON_SAFE

Per ISO 26262-10:2018 §6.4.3, the following Assumptions of Use apply to the cJSON SEooC qualification:

  1. cJSON is integrated as a stateless library with caller-owned state and a qualified memory allocator provided by the integrator via cJSON_InitHooks.

  2. JSON inputs do not exceed CJSON_NESTING_LIMIT (1000) depth; max string length is bounded by available memory; inputs originate from a trusted or integrity-checked source.

  3. Single-threaded use or external synchronization by integrator.

  4. All cJSON return values are checked by integrator; NULL/cJSON_False indicate errors.

  5. Qualification build is reproduced with audited toolchain and compiler flags.

See: AoU-1 (Integration Context)... (LM_AOU_CONTEXT), AoU-2 (Input Constraints): ... (LM_AOU_INPUTS), AoU-3 (Threading Model): cJ... (LM_AOU_THREADING), AoU-4 (Error Handling): The... (LM_AOU_ERROR), AoU-5 (Toolchain): The inte... (LM_AOU_TOOLCHAIN).