SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 60

changes.mady.by.user Liz Whiting

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

The C Standard, subclause 3.45.3 [ISO/IEC 9899:20112024], defines undefined behavior as

behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for

which this International Standard

which this document imposes no requirements

.

Subclause 4 explains how the standard identifies undefined behavior . (See see also undefined behavior 1 of Annex J).)

If a "shall" or "shall not" requirement that appears outside of a

constraint is violated

constraint or runtime-constraint is violated, the behavior is undefined. Undefined behavior is otherwise indicated in this

International Standard by the

document by the words "undefined behavior" or by the omission of any explicit definition of behavior. There is no difference in emphasis among these three; they all describe "behavior that is undefined".

Annex J, subclause J.2, "Undefined behavior," enumerates the circumstances under which the behavior of a program is undefined. This list is duplicated on the CC. Undefined Behavior page.

...

An example of undefined behavior in C is the behavior on signed integer overflow . (See see also INT32-C. Ensure that operations on signed integers do not result in overflow). ) This noncompliant code example depends on this behavior to catch the overflow:

...

Although it is rare that the entire application can be strictly conforming, the goal should be that almost all the code is allowed for a strictly conforming program (which among other things means that it avoids undefined behavior), with the implementation-dependent parts confined to modules that the programmer knows are needed to adapt to the platform when it changes.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

MSC15-C

High

Likely

Medium

No

No

P18

P9

L1

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée reports undefined behavior.
Helix QAC
LDRA tool suite

Include Page

LDRA

Helix QAC_V

LDRA

Helix QAC_V

48 D, 63 D, 84 D, 113 D, 5 Q, 64 S, 65 S, 100 S, 109 S, 156 S, 296 S, 324 S, 335 S, 336 S, 339 S, 412 S, 427 S, 465 S, 482 S, 497 S, 545 S, 587 S, 608 S, 642 S, 62 X, 63 X

Partially implementedPRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v

0160,0161,0162,0163,0164,0165,0166,0167,0168,0169,0170,0171,

 0172,0173,0174,0175,0176,0177,0178,0179, 0184,0185,0186,0190,

0191,0192,0193,0194,0195,0196,0197,0198,0199,0200,0201,0203,0204,

0206, 0207,0208,0235,0275,0304,0309,0337,0400,0401,0402,0403,0543,

0544,0545,0602,0623,0625,0626,0630,0632,0636,0654,0658,0661,0667,

0668,0672,0706,0745,0777,0779,0809,0813,0814,0836,0837,0848,0853,

0854,0864,0865,0867,0872,0874,0885,0887,0888,0914,0915,0942,3113,3114,

3239,3319,3438,0301,0302,0307,0475,0676,0678,0680,3311,3312,3437,1509,1510

Partially implemented

C0160, C0161, C0162, C0163, C0164, C0165, C0166, C0167, C0168, C0169, C0170, C0171, C0172, C0173, C0174, C0175, C0176, C0177, C0178, C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0203, C0204, C0206, C0207, C0208, C0235, C0275, C0301, C0302, C0304, C0307, C0309, C0323, C0327, C0337, C0400, C0401, C0402, C0403, C0475, C0543, C0544, C0545, C0602, C0603, C0623, C0625, C0626, C0630, C0632, C0636, C0654, C0658, C0661, C0667, C0668, C0672, C0676, C0678, C0680, C0706, C0745, C0777, C0779, C0813, C0814, C0821, C0836, C0837, C0848, C0853, C0854, C0864, C0865, C0867, C0872, C0874, C0885, C0887, C0888, C0914, C0915, C0942, C1509, C1510, C3113, C3114, C3239, C3311, C3312, C3319, C3437, C3438


LDRA tool suite
Include Page
LDRA_V
LDRA_V

48 D, 63 D, 84 D, 113 D, 5 Q, 64 S, 65 S, 100 S, 109 S, 156 S, 296 S, 324 S, 335 S, 336 S, 339 S, 412 S, 427 S, 465 S, 482 S, 497 S, 545 S, 587 S, 608 S, 642 S, 62 X, 63 X

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V
CERT_C-MSC15-a
CERT_C-MSC15-b

Evaluation of constant unsigned integer expressions should not lead to wrap-around
Evaluation of constant unsigned integer expressions in preprocessor directives should not lead to wraparound

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MSC15-C


Checks for undefined behavior (rec. partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V772

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID MSC15-CPP. Do not depend on undefined behavior
ISO/IEC TR 24772Unspecified Behaviour [BQF]
Undefined Behaviour [EWF]
Implementation-Defined Behaviour [FAB]

Bibliography

[ISO/IEC 9899:
2011
2024]Subclause 3.
4
5.3, "Undefined Behavior"
Subclause 4, "Conformance"
Subclause J.2, "Undefined Behavior"
[Seacord 2013]Chapter 5, "Integer Security"

...


...

Image Modified Image Modified Image Modified