SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 64

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
In this noncompliant code example, the function {{clear()}} zeros the elements in an array. The function has one parameter declared as {{int array\[\]}} and is passed a static array consisting of 12 {{int}} as the argument. The function {{clear()}} uses the idiom {{sizeof(array) / sizeof(array\[0\])}} to determine the number of elements in the array. However, {{array}} has a pointer type because it is a parameter. As a result, {{sizeof(array)}} is equal to the {{sizeof(int \*)}}. For example, on an architecture (such as IA-32) where the {{sizeof(int) == 4}} and the {{sizeof(int *) == 4}}, the expression {{sizeof(array) / sizeof(array\[0\])}} evaluates to 1, regardless of the length of the array passed, leaving the rest of the array unaffected.

Code Block
bgColor#FFcccc
langc
void clear(int array[]) {
  for (size_t i = 0; i < sizeof(array) / sizeof(array[0]); ++i) {
     array[i] = 0;
   }
}

void dowork(void) {
  int dis[12];

  clear(dis);
  /* ... */
}

...

In this compliant solution, the size of the array is determined inside the block in which it is declared and passed as an argument to the function.

Code Block
bgColor#ccccff
langc
void clear(int array[], size_t len) {
    for (size_t i = 0; i < len; i++) {
     array[i] = 0;
  }
}

void dowork(void) {
  int dis[12];

  clear(dis, sizeof(dis) / sizeof(dis[0]));
  /* ... */
}

...

In this noncompliant code example, the sizeof a does not equal 100 * sizeof(int). This is because the sizeof operator, when applied to a parameter declared to have array or function type, yields the size of the adjusted (pointer) type, even if the parameter declaration specifies a length.

Code Block
bgColor#FFcccc
langc
enum {ARR_LEN = 100};

void clear(int a[ARR_LEN]) {
  memset(a, 0, sizeof(a)); /* error */
}

int main(void) {
  int b[ARR_LEN];
  clear(b);
  assert(b[ARR_LEN / 2]==0); /* may fail */
  return 0;
}

...

In this compliant solution, the size is specified using the expression len * sizeof(int).

Code Block
bgColor#ccccff
langc
enum {ARR_LEN = 100};

void clear(int a[], size_t len) {
  memset(a, 0, len * sizeof(int));
}

int main(void) {
  int b[ARR_LEN];
  clear(b, ARR_LEN);
  assert(b[ARR_LEN / 2]==0); /* cannot fail */
  return 0;
}

...