Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Two or more incompatible declarations of the same function or object that must not appear in the same program shall be diagnosed because they result in undefined behavior. The C Standard, 6.2.7, mentions that two types may be distinct yet compatible and addresses precisely when two distinct types are compatible.

The C Standard [ISO/IEC 9899:2011] identifies three distinct identifies four situations in which undefined behavior (UB) may arise as a result of incompatible declarations of the same function or object:

UB

Description

Code

15

14

Two declarations of the same object or function specify types that are not compatible (6.2.7).

All noncompliant code in this guideline

30Two identifiers differ only in nonsignificant characters (6.
37
4.2.1).Excessively Long Identifiers

36

An object has its stored value accessed other than by an lvalue of an allowable type (6.5).

Incompatible Object Declarations

,


Incompatible Array Declarations

41

37

A function is defined with a type that is not compatible with the type (of the expression) pointed to by the expression that denotes the called function (6.5.2.2).

Incompatible Function Declarations

,

 
Excessively Long Identifiers

Although the effect of two incompatible declarations simply appearing in the same program may be benign on most implementations, the effects of invoking a function through an expression whose type is incompatible with the function definition are typically catastrophic. Similarly, the effects of accessing an object using an lvalue of a type that is incompatible with the object definition may range from unintended information exposure to memory overwrite to a hardware trap.

Anchor
Incompatible Object Declarations
Incompatible Object Declarations
Noncompliant Code Example (Incompatible Object Declarations)

In this noncompliant code example, the variable i is declared to have type int in file a.c but defined to be of type short in file b.c. The declarations are incompatible, resulting in undefined behavior undefined behavior 1514. Furthermore, accessing the object using an lvalue of an incompatible type, as done shown in function f() results in , is undefined behavior 37 with 36 with possible observable results ranging from unintended information exposure to memory overwrite to a hardware trap.

Code Block
bgColor#FFcccc
languagec
/* inIn a.c */
extern int i;   /* UB 1514 */

int f(void) {
  return ++i;   /* UB 3736 */
}

/* inIn b.c */
short i;   /* UB 1514 */

Compliant Solution (Incompatible Object Declarations)

This compliant solution has compatible declarations of the variable i:

Code Block
bgColor#ccccff
langc
/* In a.c */
extern int i;   

int f(void) {
  return ++i;   
}

/* In b.c */
int i;   

Anchor
Incompatible Array Declarations
Incompatible Array Declarations
Noncompliant Code Example (Incompatible Array Declarations)

In this noncompliant code example, the variable a is declared to have array a pointer type in file a.c but defined to have pointer an array type in file b.c. The two declarations are incompatible, resulting in undefined behavior 1514. As before, accessing the object in function f() results in is undefined behavior 3736 with the typical effect of triggering a hardware trap.

Code Block
bgColor#FFcccc
languagec
/* inIn a.c */
extern int *a;   /* UB 1514 */

int f(unsigned int i, int x) {
  int tmp = a[i];   /* UB 3736: read access */
  a[i] = x;         /* UB 3736: write access */
  return tmp;
}

/* inIn b.c */
int a[] = { 1, 2, 3, 4 };   /* UB 15 */
 14 */

Compliant Solution (Incompatible Array Declarations)

This compliant solution declares a as an array in a.c and b.c:

Code Block
bgColor#ccccff
langc
/* In a.c */
extern int a[];   

int f(unsigned int i, int x) {
  int tmp = a[i];   
  a[i] = x;         
  return tmp;
}

/* In b.c */
int a[] = { 1, 2, 3, 4 };  

Anchor
Incompatible Function Declarations
Incompatible Function Declarations
Noncompliant Code Example (Incompatible Function Declarations)

In this noncompliant code example, the function f() is declared in file a.c with one prototype but defined in file b.c with another. The two prototypes are incompatible, resulting in undefined behavior 1514. Furthermore, invoking the function results in is undefined behavior 41 with 37 and typically has catastrophic effectsconsequences.

Code Block
bgColor#FFcccc
languagec
/* inIn a.c */
extern int f(int a);   /* UB 1514 */

int g(int a) {
  return f(a);   /* UB 4137 */
}

/* inIn b.c */
long f(long a) {   /* UB 1514 */
  return a * 2;
}

Compliant Solution (Incompatible Function Declarations)

This compliant solution has compatible prototypes for the function f():

Code Block
bgColor#ccccff
langc
/* In a.c */
extern int f(int a);   

int g(int a) {
  return f(a);   
}

/* In b.c */
int f(int a) {   
  return a * 2;
}

Noncompliant Code Example (Incompatible Variadic Function Declarations)

In this noncompliant code example, the function buginf() is defined to take a variable number of arguments and expects them all to be signed integers with a sentinel value of -1:

Code Block
bgColor#FFCCCC
langc
/* In a.c */
void buginf(const char *fmt, ...) {
   /* ... */
}
 
/* In b.c */
void buginf();


Although this code appears to be well defined because of the prototype-less declaration of buginf(), it exhibits undefined behavior 76 in accordance with the C Standard, 6.7.7.4, paragraph 14 [ISO/IEC 9899:2024],

For two function types to be compatible, both shall specify compatible return types. Moreover, the parameter type lists shall agree in the number of parameters and in use of the final ellipsis; corresponding parameters shall have compatible types. In the determination of type compatibility and of a composite type, each parameter declared with function or array type is taken as having the adjusted type and each parameter declared with qualified type is taken as having the unqualified version of its declared type.

Compliant Solution (Incompatible Variadic Function Declarations)

In this compliant solution, the prototype for the function buginf() is included in the scope in the source file where it will be used:

Code Block
bgColor#ccccff
langc
/* In a.c */
void buginf(const char *fmt, ...) {
   /* ... */
}

/* In b.c */
void buginf(const char *fmt, ...);

Anchor
Excessively Long Identifiers
Excessively Long Identifiers
Noncompliant Code Example (Excessively Long Identifiers)

...

...

...

...

...

Code Block
bgColor#FFcccc
languagec
/* inIn bash/bashline.h */
/* UB 14, UB 30 */
extern char * bash_groupname_completion_function(const char *, int);   /* UB 15 */

/* inIn a.c */
#include <bashline"bashline.h>h"

void f(const char *s, int i) {
  bash_groupname_completion_function(s, i);   /* UB 4137 */
}

/* inIn b.c */
int bash_groupname_completion_funcfunct;   /* UB 14, UB 1530 */

NoteNOTE: The identifier bash_groupname_completion_function referenced here was taken from GNU Bash, version 3.2.

Exceptions

Compliant Solution (Excessively Long Identifiers)

In this compliant solution, the length of the identifier declaring the function pointer bash_groupname_completion() in bashline.h is less than 32 characters. Consequently, it cannot clash with bash_groupname_completion_funct on any compliant platform AnchorDCL40-EX1DCL40-EX1DCL40-EX1: No diagnostic need be issued if a declaration that is incompatible with the definition occurs in a translation unit that does not contain any definition or uses of the function or object other than possibly additional declarations.

Code Block
bgColor#ccccff
languagelangc
/* In abashline.c:h */
intextern char x = 0; /* the definition */* bash_groupname_completion(const char *, int);   

/* bIn a.c: */
extern#include "bashline.h"

void f(const char x; /*s, incompatibleint declarationi) */{
/* but no other references to 'x' */

Related Guidelines

  bash_groupname_completion(s, i);  
}

/* In b.c */
int bash_groupname_completion_funct; 

Risk Assessment

Rule

Severity

Likelihood

Detectable

Repairable

Priority

Level

DCL40-C

Low

Unlikely

Yes

No

P2

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

type-compatibility

type-compatibility-link

distinct-extern

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL40Fully implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.STRUCT.DECL.IF
LANG.STRUCT.DECL.IO
Inconsistent function declarations
Inconsistent object declarations
Coverity
Include Page
Coverity_V
Coverity_V
MISRA C 2012 Rule 8.4Implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-dcl40-c
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0776, C0778, C0779, C0789, C1510

C++1510

Fully implemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

MISRA.FUNC.NOPROT.DEF.2012
MISRA.FUNC.PARAMS.IDENT

Fully implemented
LDRA tool suite8.5.4

1 X, 17 D

Partially implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL40-a
CERT_C-DCL40-b

All declarations of an object or function shall have compatible types
If objects or functions are declared more than once their types shall be compatible

Parasoft Insure++



Runtime analysis

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

18, 621, 793, 4376

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule DCL40-C




Checks for declaration mismatch (rule fully covered)

RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

type-compatibility

type-compatibility-link

distinct-extern

 

Fully checked
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

C26

Fully implemented
TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

incompatible declarationExhaustively verified.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

ISO/IEC TS 17961Declaring the same function or object in incompatible ways [funcdecl]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 8.4 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
CERT C Secure Coding StandardARR31-C. Use consistent array notation across all source files

Bibliography

[Hatton 1995]Section 2.8.3
[ISO/IEC 9899:2011]
Section 6.7.6.

J.2, "

Array Declarators," and section 6.2.2, "Linkages of Identifiers"

...

Undefined Behavior"

[ISO/IEC 9899:2024]

6.7.7.4 "Function Declarators"


...

Image Modified Image Modified Image Modified