Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
Eclipse Canon-C
Safety-critical embedded software is dominated by C — and will remain so for the foreseeable future, because C is the only language with a complete certified toolchain (CompCert verified compiler, Frama-C deductive verification, aiT WCET analysis) and decades of auditor familiarity across DO-178C, ISO 26262, IEC 62304, IEC 61508, EN 50128, and ECSS-E-ST-40C.
However, every safety-critical C team independently reinvents the same application-layer infrastructure: arena allocators, fixed-capacity collections, error handling conventions, ownership patterns, and contract checking. Each implementation is slightly different, privately maintained, and verified from scratch for every certification effort. This represents enormous duplicated cost across the industry — and a missed opportunity for shared verification artifacts.
Canon-C was created to close this gap. It is a header-only semantic standard library for C99 that provides a coherent vocabulary above the RTOS kernel and below the application logic — designed from day one for formal verification, MC/DC coverage measurement, and certification evidence reuse.
Eclipse Canon-C provides a strict-layered set of header-only C99 modules covering: portable primitive types, overflow-safe arithmetic, explicit pointer alignment, traceable contracts, arena and pool allocators, fixed-capacity collections (vec, deque, hashmap, priority queue, bitset, array), Result and Option types, explicit ownership annotations, generic algorithms (map, filter, fold, find, sort, search), structured diagnostic frames, string operations, and minimal logging and parsing utilities.
The library targets C99 with no compiler extensions required, is freestanding-safe in its core layers, and contains no RTOS, OS, or libc dependencies in its foundational modules. It is designed to be verified with Frama-C, compiled with CompCert, and analyzed with aiT for WCET bounds.
Out of scope:
Eclipse Canon-C does not provide: an RTOS kernel, networking stacks, file systems, graphical interfaces, device drivers, cryptographic primitives, numerical kernels (BLAS/LAPACK), or threading primitives. These remain the responsibility of the underlying RTOS or specialized libraries. Eclipse Canon-C is the application-layer vocabulary that sits between them.
Eclipse Canon-C is a header-only semantic standard library for C99 targeting safety-critical embedded systems. It provides explicit ownership annotations, Result and Option types, arena allocation, fixed-capacity collections with caller-owned buffers, traceable contracts, and a coherent error-handling model — all designed for formal verification with Frama-C and certification under DO-178C, ISO 26262, IEC 62304, IEC 61508, EN 50128, and ECSS-E-ST-40C.
The library follows a strict dependency hierarchy: core/primitives → core → semantics → data → algo → util. Each layer is complete and independently usable. The core layers are freestanding-safe, with no RTOS, OS, or libc dependencies, allowing Eclipse Canon-C to run on bare metal, on Eclipse ThreadX, or alongside any other RTOS including FreeRTOS and Zephyr.
Eclipse Canon-C's continuous integration pipeline produces certification evidence as a normal part of every commit: 51 test binaries across GCC, Clang, and MSVC on three platforms; AddressSanitizer and UndefinedBehaviorSanitizer in every Debug build; Valgrind memory analysis; libFuzzer fuzzing; clang-tidy and Cppcheck static analysis; MISRA C:2012 advisory checks; and true Modified Condition/Decision Coverage measurement using GCC 14's -fcondition-coverage flag. The verification infrastructure is in place; ACSL annotations and Frama-C proofs are the next planned milestone.
No legal issues are anticipated. All code in the initial contribution is original work authored by Fikret Güney Ersezer with no third-party dependencies. The "Canon-C" name is not currently held as a trademark by any party. The project is being relicensed from MPL-2.0 to MIT specifically for Eclipse contribution; the original author holds full rights to perform this relicensing.
Eclipse ThreadX is the world's only open-source RTOS with safety certifications across IEC 61508, IEC 62304, ISO 26262, and EN 50128. Eclipse Canon-C extends ThreadX's certification advantage from the kernel layer into the application layer by providing a verified vocabulary that ThreadX users can adopt directly into their certified products. The alignment between Eclipse Canon-C's design philosophy (explicit, certifiable, no hidden behavior) and ThreadX's mission (safety-certified open-source RTOS) is exact.
Hosting Eclipse Canon-C as an Eclipse subproject under Eclipse ThreadX provides:
- Vendor-neutral governance and Eclipse Foundation IP review, essential for adoption by safety-critical industries
- Access to the ThreadX community of embedded developers working in automotive, medical, aerospace, and industrial domains
- Institutional credibility that enables defense contractors, Tier 1 automotive suppliers, and medical device manufacturers to evaluate and adopt the library
- A long-term sustainability model through the broader Eclipse Foundation ecosystem
Eclipse Canon-C brings to the Eclipse ThreadX community its first community-contributed application-layer component, demonstrating that the ThreadX ecosystem is open to external contributions and capable of growing beyond its original Express Logic / Microsoft codebase.
Within twelve to eighteen months, Eclipse Canon-C plans to:
- Discharge Frama-C WP proofs across the core/primitives and core/ layers
- Reach and maintain 90%+ MC/DC coverage measured continuously in CI
- Publish a Eclipse ThreadX integration guide demonstrating Eclipse Canon-C usage in ThreadX-based applications
- Document MISRA C:2012 deviations with formal justifications
- Establish a tool qualification reference package for downstream certification efforts
- Grow the committer community through Eclipse member company engagement
- Present Eclipse Canon-C at Embedded World and other industry venues to broaden awareness
Eclipse Canon-C is already an active, tested, documented codebase at version 1.3.0, with over 1294 commits and a comprehensive CI pipeline. Initial contribution to Eclipse can occur immediately upon proposal acceptance.
Anticipated near-term milestones following project creation:
- First Eclipse-hosted release within one quarter of project creation
- Initial ACSL annotations on core/primitives layer (bits.h, checked.h, ptr.h, compare.h) within two quarters
- First Frama-C WP proofs discharged within two to three quarters
- Branch and MC/DC coverage targeted at 90%+ within two quarters
- ThreadX integration guide within two quarters
- Frédéric Desbiens, Eclipse Foundation, Project Lead of Eclipse ThreadX (mentor and committer)
- Eclipse ThreadX project community
- Defense and aerospace embedded software developers requiring DO-178C and ECSS-E-ST-40C certification
- Automotive embedded teams targeting ISO 26262 ASIL B/C/D
- Medical device firmware teams targeting IEC 62304 Class B/C
- Industrial control developers targeting IEC 61508 SIL 2/3
The initial contribution is the existing Eclipse Canon-C codebase, currently hosted at https://github.com/Fikoko/Canon-C, version 1.3.0, with over 1294 commits.
The codebase consists entirely of original work authored by Fikret Güney Ersezer and is currently licensed under MPL-2.0 with a planned relicensing to MIT for Eclipse contribution. All copyrights are held solely by the original author. There are no third-party code dependencies in the library itself; the test infrastructure uses standard tooling (CMake, GCC, Clang, MSVC, Valgrind, Cppcheck, clang-tidy, libFuzzer) which are not bundled with the codebase.
The library is header-only and consists of approximately 40 modules organized into a strict dependency hierarchy across six layers. Test coverage includes 51 test binaries with line coverage at 95.9%, function coverage at 99.6%, and MC/DC coverage at 74.3% measured with GCC 14.
- Log in to post comments
Eclipse Canon-C is a header-only semantic standard library for C99 targeting safety-critical embedded systems. It provides explicit ownership annotations, Result and Option types, arena allocation, fixed-capacity collections with caller-owned buffers, traceable contracts, and a coherent error-handling model — all designed for formal verification with Frama-C and certification under DO-178C, ISO 26262, IEC 62304, IEC 61508, EN 50128, and ECSS-E-ST-40C.
The library follows a strict dependency hierarchy: core/primitives → core → semantics → data → algo → util. Each layer is complete and independently usable. The core layers are freestanding-safe, with no RTOS, OS, or libc dependencies, allowing Eclipse Canon-C to run on bare metal, on Eclipse ThreadX, or alongside any other RTOS including FreeRTOS and Zephyr.
Eclipse Canon-C's continuous integration pipeline produces certification evidence as a normal part of every commit: 51 test binaries across GCC, Clang, and MSVC on three platforms; AddressSanitizer and UndefinedBehaviorSanitizer in every Debug build; Valgrind memory analysis; libFuzzer fuzzing; clang-tidy and Cppcheck static analysis; MISRA C:2012 advisory checks; and true Modified Condition/Decision Coverage measurement using GCC 14's -fcondition-coverage flag. The verification infrastructure is in place; ACSL annotations and Frama-C proofs are the next planned milestone.
- Log in to post comments
Initial draft
Submitted by Fikret Güney Ersezer on Fri, 04/10/2026 - 02:10
Initial draft of Canon-C project proposal.