
The C standard Standard allows an array variable to be declared both with a bound and with an initialization literal. The initialization literal also implies an array bound in the number of elements specified.
...
but it is also possible to use designators to initialize array elements in a noncontiguous fashion. Section Subclause 6.7.9, Example 12, of the C standard Standard [ISO/IEC 9899:2011] states:
Space can be "allocated" from both ends of an array by using a single designator:
Code Block int a[MAX] = { 1, 3, 5, 7, 9, [MAX-5] = 8, 6, 4, 2, 0 };In the above, if
MAX
is greater than ten, there will be some zero-valued elements in the middle; if it is less than ten, some of the values provided by the first five initializers will be overridden by the second five.
The C standard also Standard also dictates how array initialization is handled when the number of initialization elements does not equal the explicit array bound. Section Subclause 6.7.9, para. 21–22, statesparagraphs 21 and 22, state:
If there are fewer initializers in a brace-enclosed list than there are elements or members of an aggregate, or fewer characters in a string literal used to initialize an array of known size than there are elements in the array, the remainder of the aggregate shall be initialized implicitly the same as objects that have static storage duration.
If an array of unknown size is initialized, its size is determined by the largest indexed element with an explicit initializer. The array type is completed at the end of its initializer list.
...
Note that this recommendation does not apply (in all cases) to character arrays initialized with string literals. See STR36 STR11-C. Do not specify the bound of a character array initialized with a string literal for more information.
Noncompliant Code Example (Incorrect Size)
This noncompliant code example initializes an array of integers using an initialization with too many elements for the array.:
Code Block | ||||
---|---|---|---|---|
| ||||
int a[3] = {1, 2, 3, 4}; |
...
This noncompliant code example generates a warning in GCC. Microsoft Visual Studio 2008 generates a fatal diagnostic: error C2078: too many initializers
.
...
This compliant solution explicitly specifies the array bound.:
Code Block | ||||
---|---|---|---|---|
| ||||
int a[4] = {1, 2, 3, 4}; |
Explicitly specifying the array bound, although it is implicitly defined by an initializer, allows a compiler or other static analysis tool to issue a diagnostic if these values do not agree.
Exceptions
ARR02-EX0C-EX1:STR36 STR11-C. Do not specify the bound of a character array initialized with a string literal is a specific exception to this recommendation; it requires that the bound of a character array initialized with a string literal is unspecified.
Risk Assessment
Recommendation | Severity | Likelihood |
---|
Detectable | Repairable | Priority | Level |
---|---|---|---|
ARR02-C | Medium |
Unlikely |
Yes |
Yes | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| array-size-global | Partially checked | ||||||
Axivion Bauhaus Suite |
| CertC-ARR02 | Fully implemented | ||||||
Compass/ROSE |
| CC2.ARR02 | Fully implemented | |||||||
Helix QAC |
| C0678, C0688, C3674, C3684 |
LDRA tool suite |
| 127 S | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-ARR02-a | Explicitly specify array bounds in array declarations with initializers | ||||||
PC-lint Plus |
|
Partially implemented
| 576 | Partially supported | |||
Polyspace Bug Finder |
|
araydecl
Fully implemented
| Checks for improper array initialization (rec, partially covered). | ||||||||
PVS-Studio |
| V798 | |||||||
RuleChecker |
| array-size-global | Partially checked | ||||||
SonarQube C/C++ Plugin |
| S834 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C | CTR02-CPP. Explicitly specify array bounds, even if implicitly defined by an initializer | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-665, Incorrect or incomplete initialization | Prior to 2018-01-12: CERT: |
MISRA C:2012 | Rule 8.11 (advisory) | Prior to 2018-01-12: CERT: Unspecified Relationship |
MISRA C:2012 | Rule 9.5 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
...
] | Subclause 6.7.9, "Initialization" |
...
MITRE CWE: CWE-665, "Incorrect or incomplete initialization"
...
...