SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 147

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note the comment warning programmers that the macro is unsafe. The macro can also be renamed ABS_UNSAFE() to make it clear that the macro is unsafe. This compliant solution, like all the compliant solutions for this rule, has undefined behavior (see  undefined behavior 36) if the argument to ABS() is equal to the minimum (most negative) value for the signed integer type. (See INT32-C. Ensure that operations on signed integers do not result in overflow for more information.)

...

This compliant solution follows the guidance of PRE00-C. Prefer inline or static functions to function-like macros by defining an inline function iabs() to replace the ABS() macro. Unlike the ABS() macro, which operates on operands of any type, the iabs() function will truncate arguments of types wider than int whose value is not in range of the latter type.

...

According to the C Standard, 6.5.12.1, paragraph 3 [ISO/IEC 9899:20112024]:

The controlling expression of a generic selection is not evaluated. If a generic selection has a generic association with a type name that is compatible with the type of the controlling expression, then the result expression of the generic selection is the expression in that generic association. Otherwise, the result expression of the generic selection is the expression in the default generic association. None of the expressions from any other generic association of the generic selection is evaluated. 

Because the expression is not evaluated as part of the generic selection, the use of a macro in this solution is guaranteed to evaluate the macro parameter v only once.

...

Invoking an unsafe macro with an argument that has side effects may cause those side effects to occur more than once. This practice can lead to unexpected program behavior.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

PRE31-C

Low

Unlikely

Low

No

Yes

P3

P2

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

expanded-side-effect-multiplied
expanded-side-effect-not-evaluated
side-effect-not-expanded

Partially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-PRE31Fully implemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.PREPROC.FUNCMACRO
LANG.STRUCT.SE.DEC
LANG.STRUCT.SE.INC

Function-Like Macro
Side Effects in Expression with Decrement
Side Effects in Expression with Increment

Coverity

Include Page
Coverity_V
Coverity_V

ASSERT_SIDE_EFFECTS

Partially implemented

Can detect the specific instance where assertion contains an operation/function call that may have a side effect

Cppcheck Premium 

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-pre31-c
ECLAIR
Include Page
ECLAIR_V
ECLAIR_V
CC2.EXP31
CC2.PRE31		Fully implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3462, C3463, C3464,C3465,C3466,C3467

C++3225, C++3226, C++3227, C++3228, C++3229 

Fully implemented
Klocwork

Include Page
Klocwork_V
Klocwork_V

PORTING.VAR.EFFECTSFully implemented
LDRA tool suite
Include Page
LDRA_V
LDRA_V

9 S, 562 S, 572 S, 35 D, 1 Q

Fully implemented

Parasoft C/C++test
9.5CODSTA-123Partially implementedPolyspace Bug FinderR2016aMISRA2012-RULE-13_2Partial
Include Page
Parasoft_V
Parasoft_V

CERT_C-PRE31-b
CERT_C-PRE31-c
CERT_C-PRE31-d

Assertions should not contain assignments, increment, or decrement operators
Assertions should not contain function calls nor function-like macro calls
Avoid side effects in arguments to unsafe macros

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

666, 2666

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule PRE31-C

Checks for side effect in arguments to unsafe macro (rule partially covered)


RuleChecker
Include Page
RuleChecker_V
RuleChecker_V

expanded-side-effect-multiplied
expanded-side-effect-not-evaluated
side-effect-not-expanded

Partially checked
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

RTOS_28

Fully implemented
PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v

3454, 3455, 3456

Fully implementedPRQA QA-C++ 3225, 3226, 3227, 3228, 3229  

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT CPRE00-C. Prefer inline or static functions to function-like macrosPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CPRE12-C. Do not define unsafe macrosPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CMSC14-C. Do not introduce unnecessary platform dependenciesPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CDCL37-C. Do not declare or define a reserved identifierPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CPRE31-CPP. Avoid side-effects in arguments to unsafe macrosPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaEXP06-J. Expressions used in assertions must not produce side effectsPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Pre-processor Directives [NMP]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 20.5 (advisory)Prior to 2018-01-12: CERT: Unspecified Relationship

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

Bibliography

[Dewhurst 2002]Gotcha #28, "Side Effects in Assertions"
[ISO/IEC 9899:
2011
2024]Subclause 6.5.
1
2.1, "Generic Selection" 
[Plum 1985]Rule 1-11

...


...