SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 57

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

Wiki MarkupImmutable objects should be {{const}}\-qualified. Enforcing object immutability using {{const}}\- qualification helps ensures ensure the correctness and security of applications. ISO/IEC PDTR 24772 \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\], for example, recommends labeling parameters as constant to avoid the unintentional modification of function arguments. [STR05-A. Prefer making string literals const-qualified] describes a specialized case of this recommendation. TR 24772, for example, recommends labeling parameters as constant to avoid the unintentional modification of function arguments [ISO/IEC TR 24772]. STR05-C. Use pointers to const when referring to string literals describes a specialized case of this recommendation.

Adding const qualification may propagate through a program; as you add const, qualifiers , become still more become necessary. This phenomenon is sometimes called "const-poisoning." Const-poisoning poisoning, which can frequently lead to violations of EXP05-AC. Do not cast away a const qualification. While Although const qualification is a good idea, the costs may outweigh the value in the remediation of existing code.

...

A macro or an enumeration constant may also be used instead of a const-qualified object. DCL06-C. Use meaningful symbolic constants to represent literal values describes the relative merits of using const-qualified objects, enumeration constants, and object-like macros. However, adding a const qualifier to an existing variable is a better first step than replacing the variable with an enumeration constant or macro because the compiler will issue warnings on any code that changes your const-qualified variable. Once you have verified that a const-qualified variable is not changed by any code, you may consider changing it to an enumeration constant or macro, as best fits your design.

Noncompliant Code Example

In this non-compliant noncompliant code example, pi is declared as a float. Although pi is a mathematical constant, its value is not protected from accidental modification.

Code Block
bgColor#FFCCCC
langc

float pi = 3.14159f;
float degrees;
float radians;
/* ... */
radians = degrees * pi / 180;

Compliant Solution

In this compliant solution, pi is declared as a const-qualified object.:

Code Block
bgColor#ccccff
langc

const float pi = 3.14159f;
float degrees;
float radians;
/* ... */
radians = degrees * pi / 180;

Risk Assessment

Failing to const-qualify immutable objects can result in a constant being modified at runtime.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

DCL00

-A

1 (low)

1 (unlikely)

1 (high)

P1

L3

-C

Low

Unlikely

Yes

Yes

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
parameter-missing-constPartially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL00
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.CAST.PC.CRCQ

LANG.TYPE.VCBC

LANG.STRUCT.RPNTC

Cast removes const qualifier

Variable Could Be const

Returned Pointer Not Treated as const

Compass/ROSE




ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.DCL00

Partially implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3204, C3227, C3232, C3673, C3677


LDRA tool suite
Include Page
LDRA_V
LDRA_V

78 D
93 D
200 S

Fully implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL00-a
CERT_C-DCL00-b

Declare local variable as const whenever possible
Declare parameters as const whenever possible

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

953

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: DCL00-CChecks for unmodified variable not const-qualified (rule fully covered).
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
parameter-missing-constPartially checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.3, "Type qualifiers"
\[[Saks 00|AA. C References#Saks 00]\] Dan Saks. [Numeric Literals|http://www.embedded.com/2000/0009/0009pp.htm]. Embedded Systems Programming.  September, 2000.

Related Guidelines

SEI CERT C++ Coding StandardVOID DCL00-CPP. Const-qualify immutable objects

 Bibliography

[Dewhurst 2002]Gotcha #25, "#define Literals"
[Saks 2000]


...

Image Added Image Added Image Added02. Declarations and Initialization (DCL)      02. Declarations and Initialization (DCL)       DCL01-A. Do not reuse variable names in subscopes