SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 22

changes.mady.by.user Robert Schiela

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

The macro offsetof(type, member-designator) accepts a restricted set of type arguments in this International Standard. If type is not a standard-layout class, the results are undefined. The expression offsetof(type, member-designator) is never type-dependent and it is value-dependent if and only if type is dependent. The result of applying the offsetof macro to a field that is a static data member or a function member is undefined. No operation invoked by the offsetof macro shall throw an exception and noexcept(offsetof(type, member-designator)) shall be true.

When specifying the type argument for the offsetof() macro, pass only a standard-layout class. The full description of a standard-layout class can be found in paragraph 7 of the [class] clause of the C++ Standard, or the type can be checked with the std::is_standard_layout<> type trait. When specifying the member designator argument for the offsetof() macro, do not pass a bit-field, static data member, or function member. Passing an invalid type or member to the offsetof() macro is undefined behavior.

Noncompliant Code Example

In this noncompliant code example, a type that is not a standard-layout class is passed to the offsetof() macro, resulting in undefined behavior.

Code Block
bgColor#FFcccc
langcpp
#include <cstddef>
 
struct D {
  virtual void f() {}
  int i;
};
 
void f() {
  size_t off = offsetof(D, i);
  // ...
}

...

In this noncompliant code example, the offset to i is calculated so that a value can be stored at that offset within buffer. However, because i is a static data member of the class, this example results in undefined behavior. According to the C++ Standard, [class.static.data], paragraph 1 [ISO/IEC 14882-2014], static data members are not part of the subobjects of a class.

...

Passing an invalid type or member to offsetof() can result in undefined behavior that might be exploited to cause data integrity violations or result in incorrect values from the macro expansion.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

EXP59-CPP

Medium

Unlikely

Yes

Medium

No

P4

L3 

Automated Detection 

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC++-EXP59
Clang
Include Page
Clang_V
Clang_V

-Winvalid-offsetof

Emits an error diagnostic on invalid member designators, and emits a warning diagnostic on invalid types.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADMACRO.OFFSETOF

Use of offsetof

GCC
Include Page
Gcc_V
Gcc_V

-Winvalid-offsetof

Emits an error diagnostic on invalid member designators, and emits a warning diagnostic on invalid types.
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C++3915, C++3916


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_CPP-EXP59-aUse offsetof() on valid types and members
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: EXP59-CPPChecks use of offsetof macro with nonstandard layout class (rule fully covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

[ISO/IEC 9899:1999]Subclause 7.17, "Common Definitions <stddef.h>"
[ISO/IEC 14882-2014]

Subclause 9.4.2, "Static Data Members"

Subclause 18.2, "Types"

...


...

Image Modified