 
                            The C language provides several different kinds of constants: integer constants, such as 10 and 0x1C; floating constants, such as 1.0 and 6.022e+23; and character constants, such as 'a' and '\x10'. C also provides string literals, such as "hello, world" and "\n". These constants can all be referred to as literals.
Wiki Markup 
The C programming language has several mechanisms for creating named, symbolic constants: const-qualified objects, enumeration constants, and object-like macro definitions. Each of these mechanisms has associated advantages and disadvantages.
const-
...
Qualified Objects
Objects that are const-qualified have scope and can be type-checked by the compiler. Because these they are named objects (unlike macro definitions), some debugging tools can show the name of the object. The object also consumes memory.
A const-qualified object allows you to specify the exact type of the constant. For example,
| Code Block | 
|---|
| 
const unsigned int buffer_size = 256;
 | 
...
Unfortunately, const-qualified objects cannot be used where compile-time integer constants are required, namely to define the
- size Size of a bit-field member of a structure.
- size Size of an array (except in the case of variable length arrays).
- value Value of an enumeration constant.
- value Value of a caseconstant.
If any of these are required, then an integer constant (which would be an rvalue) must be used.
const-qualified objects allow the programmer to take the address of the object.:
| Code Block | 
|---|
| const int max = 15; int a[max]; /* invalidInvalid declaration outside of a function */ const int *p; /* aA const-qualified object can have its address taken */ p = &max; | 
Wiki Markup const}}\-qualified   objects   are   likely   to   incur   some   runtime   overhead   \[ [Saks   2001b|AA. Bibliography#Saks 02]\].   Most   C   compilers,   for   example,   allocate   memory   for  {{const}}\-qualified   objects.  {{const}}\-qualified   objects   declared   inside   a   function   body   can   have   automatic   storage   duration.   If   so,   the   compiler   will   allocate   storage   for   the   object,   and   it   will   be   on   the   stack.   As   a   result,   this   storage   will   need   to   be   allocated   and   initialized   each   time   the   containing   function   is   invoked.
Enumeration Constants
Enumeration constants can be used to represent an integer constant expression that has a value representable as an int. Unlike const-qualified objects, enumeration constants do not consume memory. No storage is allocated for the value, so it is not possible to take the address of an enumeration constant.
| Code Block | 
|---|
| enum { max = 15 }; int a[max]; /* OK outside function */ const int *p; p = &max; /* errorError: '"&'" on enum constant */ | 
Enumeration constants do not allow the type of the value to be specified. An enumeration constant whose value can be represented as an int is always an int.
Object-
...
like Macros
A preprocessing directive of the form
# define identifier replacement-list
...
defines an _object-like_ macro that causes each subsequent instance of the macro name to be replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\].
C programmers frequently define symbolic constants as object-like macros. For example, the code
| Code Block | 
|---|
| 
#define buffer_size 256
 | 
defines buffer_size as a macro whose value is 256. The preprocessor substitutes macros before the compiler does any other symbol processing. Later compilation phases never see macro symbols, such as buffer_size; they see only the source text after macro substitution. As a result, many compilers do not preserve macro names among the symbols they pass on to their debuggers.
...
Object-like macros do not consume memory, and, ; consequently, it is not possible to create a pointer to one. Macros do not provide for type checking because they are textually replaced by the preprocessor.
Macros can be passed as compile-time arguments.
Summary
The following table summarizes some of the differences between const-qualified objects, enumeration constants, and object-like macro definitions.
| Method | Evaluated | 
|---|
| At | Consumes Memory | Viewable by Debuggers | Type Checking | Compile- | 
|---|
| Time Constant Expression | 
|---|
| Enumerations | 
| Compile time | 
| No | 
| Yes | 
| Yes | 
| Yes | 
| 
 | 
| Runtime | 
| Yes | 
| Yes | 
| Yes | 
| No | 
| Macros | 
| Preprocessor | 
| No | 
| No | 
| No | 
| Yes | 
Noncompliant Code Example
The meaning of the integer literal 18 is not clear in this example.:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
/* ... */
if (age >= 18) {
   /* Take action */
}
else {
  /* Take a different action */
}
/* ... */
 | 
...
This compliant solution replaces the integer literal 18 with the symbolic constant ADULT_AGE to clarify the meaning of the code.:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
enum { ADULT_AGE=18 };
/* ... */
if (age >= ADULT_AGE) {
   /* Take action */
}
else {
  /* Take a different action */
}
/* ... */
 | 
...
Integer literals are frequently used when referring to array dimensions, as shown in this noncompliant code example.:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
char buffer[256];
/* ... */
fgets(buffer, 256, stdin);
 | 
This use of integer literals can easily result in buffer overflows , if, for example, the buffer size is reduced but the integer literal used in the call to fgets() is not.
Compliant Solution (enum)
In this compliant solution, the integer literal is replaced with an enumeration constant. (See recommendation DCL00-C. Const-qualify immutable objects.)
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
enum { BUFFER_SIZE=256 };
char buffer[BUFFER_SIZE];
/* ... */
fgets(buffer, BUFFER_SIZE, stdin);
 | 
...
Frequently, it is possible to obtain the desired readability by using a symbolic expression composed of existing symbols rather than by defining a new symbol. For example, a sizeof expression can work just as well as an enumeration constant. (See recommendation EXP09-C. Use sizeof to determine the size of a type or variable.)
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
char buffer[256];
/* ... */
fgets(buffer, sizeof(buffer), stdin);
 | 
Wiki Markup sizeof}}  expression   in   this   example   reduces   the   total   number   of   names   declared   in   the   program,   which   is   generally   a   good   idea  \[ [Saks   2002|AA. Bibliography#Saks 02]\].   The  {{sizeof}}  operator   is   almost   always   evaluated   at   compile   time   (except   in   the   case   of   variable-length   arrays).
When working with sizeof(), keep in mind recommendation ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array.
...
In this noncompliant code example, the string literal "localhost" and integer constant 1234 are embedded directly in program logic and are consequently difficult to change.:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
LDAP *ld = ldap_init("localhost", 1234);
if (ld == NULL) {
  perror("ldap_init");
  return(1);
}
 | 
...
In this compliant solution, the host name and port number are both defined as object-like macros, so that so they can be passed as compile-time arguments.:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| #ifndef PORTNUMBER /* mightMight be passed on compile line */ # define PORTNUMBER 1234 #endif #ifndef HOSTNAME /* mightMight be passed on compile line */ # define HOSTNAME "localhost" #endif /* ... */ LDAP *ld = ldap_init(HOSTNAME, PORTNUMBER); if (ld == NULL) { perror("ldap_init"); return(1); } | 
Exceptions
DCL06-C-EX1: While Although replacing numeric constants with a symbolic constant is often a good practice, it can be taken too far. Remember that the goal is to improve readability. Exceptions can be made for constants that are themselves the abstraction you want to represent, as in this compliant solution.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| 
x = (-b + sqrt(b*b - 4*a*c)) / (2*a);
 | 
Replacing numeric constants with symbolic constants in this example does nothing to improve the readability of the code and can actually make the code more difficult to read.
| Code Block | 
|---|
| enum { TWO = 2 }; /* aA scalar */ enum { FOUR = 4 }; /* aA scalar */ enum { SQUARE = 2 }; /* anAn exponent */ x = (-b + sqrt(pow(b, SQUARE) - FOUR*a*c))/ (TWO * a); | 
...
Note that this example does not check for invalid operations (taking the sqrt() of a negative number). See rule FLP32-C. Prevent or detect domain and range errors in math functions for more information on detecting domain and range errors in math functions.
...
Using numeric literals makes code more difficult to read and understand. Buffer overruns are frequently a consequence of a magic number being changed in one place (like such as in an array declaration) but not elsewhere (like such as in a loop through an array).
| Recommendation | Severity | Likelihood | Detectable | 
|---|
| Repairable | Priority | Level | 
|---|---|---|
| DCL06-C | 
| Low | Unlikely | 
| Yes | 
| No | P2 | L3 | 
Automated Detection
| Tool | Version | Checker | Description | 
|---|
| Axivion Bauhaus Suite | 
 | CertC-DCL06 | |||||||
| CodeSonar | 
| 
 | 
| 
 | 
| 
 | 
| LANG.STRUCT.SW.SWNEE | Switch with non-enum expression | 
| Compass/ROSE | 
| Could detect violations of this recommendation | 
| merely by searching for the use of | 
| "magic numbers | 
| " and magic strings in the code itself. That is, any number ( | 
| except a few canonical numbers: | 
| −1, 0, 1, 2) that appears in the code | 
| anywhere besides where assigned to a variable is a magic number | 
|  and should instead be assigned to a  | 
| besides where assigned to a  | |||||||||
| 
 | CC2.DCL06 | Fully implemented | |||||||
| Helix QAC | 
 | C3120, C3121, C3122, C3123, C3131, C3132 | |||||||
| Klocwork | 
 | CERT.LITERAL.INT.CONST | |||||||
| LDRA tool suite | 
 | 201 S | Fully implemented | ||||||
| Parasoft C/C++test | 
 | CERT_C-DCL06-a | Use meaningful symbolic constants to represent literal values | ||||||
| Polyspace Bug Finder | 
 | Checks for: 
 Rec. fully covered. | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
ISO/IEC TR 24772 "BRS Leveraging human experience"
...
...
| Use of | 
...
| hard-coded, | 
...
| security-relevant | 
...
| constants | 
Bibliography
...
...
...
| ] | Chapter 10, | 
...
| " | 
...
...
|http://www.doc.ic.ac.uk/lab/cplus/c++.rules/chap10.html]" \[[Saks 2001a|AA. Bibliography#Saks 01]\] \[[Saks 2001b|AA. Bibliography#Saks 02]\] \[[Saks 2002|AA. Bibliography#Saks 02]\] \[[Summit 2005|AA. Bibliography#Summit 05]\] [Question 10.5b|http://c-faq.com/cpp/constvsdefine.html]DCL05-C. Use typedefs to improve code readability 02. Declarations and Initialization (DCL)