SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Raunak Rungta

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

According to the C Standard, 6.8.5.3, paragraph 4 [ISO/IEC 9899:2024],

A switch statement causes control to jump to, into, or past the statement that is the switch body, depending on the value of a controlling expression, and on the presence of a default label and the values of any case labels on or in the switch body. A case or default label is accessible only within the closest enclosing switch statement

...

.

If a programmer declares variables and , initializes them before the first case statement, and try then tries to use them inside any of the case statements, those variables will have scope inside the switch block , but their value will be taken garbage. Any unexpected result can follow because of the above behavior.

Non Compliant Code:

not be initialized and will consequently contain indeterminate values.  Reading such values also violates EXP33-C. Do not read uninitialized memory.

Noncompliant Code Example

This noncompliant code example declares variables and contains executable statements before the first case label within the switch statement:

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
 
extern void f(int i);
 
void func(int expr) {
  switch (expr) {
    int i = 4;
    f(i);
  case 0:
    i = 17;
    /* Falls through into default code */
  default:
    printf("%d\n", i);
  }
}

Implementation Details

When the preceding example is executed on GCC 4.8.1, the variable i is In the example mentioned below, the variable i will be instantiated with automatic storage duration within the block, but it’s never it is not initialized. ThusConsequently, if the controlling expression expr has a non-zero nonzero value, the cause call to printf() will access an indeterminate value of i. Similarly, the call to function will also never get executed. f() is not executed.

Value of expr

Output

0

17

Nonzero

Indeterminate

Compliant Solution

In this compliant solution, the statements before the first case label occur before the switch statement:


int func
(
int expr)
) {
{
  /*
   * Move
switch (expr) { 
the code outside the switch block; now the statements
   * will get executed.
   */
  int i = 4;

  
f(i);

  switch (expr) {
    case 0:

      i = 17;

      /*
falls
 Falls through into default code */

    default:


      printf(
“%d
"%d\
n”
n", i);

  }

  return 0;
}

 Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
extern void f(int i);
 
 Warning
 Wiki Markup
Compliant Solution
Risk Assessment
Using test conditions or initializing variables In the compliant solution, by moving the statements before the first case statement outside the in a switch block , the execution can be ensured and result in an expected behavior.result in unexpected behavior and undefined behavior 20.
Rule
Severity
Likelihood
Detectable
Repairable
Priority
Level
DCL41-C
Medium
Unlikely
Yes
Yes
P6
L2
Automated Detection
Tool
Version
Checker
Description
Astrée
 Include Page
Astrée_V
Astrée_V
switch-skipped-code
Fully checked
Axivion Bauhaus Suite
 Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V
CertC-DCL41Fully implemented
Clang
 Include Page
Clang_V
Clang_V
-Wsometimes-uninitialized

CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
LANG.STRUCT.SW.BADMalformed switch Statement
Coverity
 Include Page
Coverity_V
Coverity_V
MISRA C 2004 Rule 15.0
MISRA C 2012 Rule 16.1
Implemented
Cppcheck Premium
 Include Page
Cppcheck Premium_V
Cppcheck Premium_V
premium-cert-dcl41-c

Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C2008, C2882, C3234Fully implemented
Klocwork
 Include Page
Klocwork_V
Klocwork_V
CERT.DCL.SWITCH.VAR_BEFORE_CASEFully implemented
LDRA tool suite 
 Include Page
LDRA_V
LDRA_V
385 SFully implemented
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-DCL41-a
A switch statement shall only contain switch labels and switch clauses, and no other code
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
527
Assistance provided
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rule DCL41-C
Checks for ill-formed switch statements (rule partially covered)
PVS-Studio
 Include Page
PVS-Studio_V
PVS-Studio_V
V622
RuleChecker
 Include Page
RuleChecker_V
RuleChecker_V
switch-skipped-code
Fully checked
TrustInSoft Analyzer
 Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V
initialisationExhaustively detects undefined behavior (see the compliant and the non-compliant example).
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy
Taxonomy item
Relationship
MISRA C:2012Rule 16.1 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
Bibliography
[ISO/IEC 9899:2024]6.8.5.3, "The switch Statement"

...
Image Added Image Added Image Added