SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 71

changes.mady.by.user David Keaton

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Calling the signal() function in a multithreaded program is undefined behavior. (see See undefined behavior 135.).

Noncompliant Code Example

...

Code Block
bgColor#ffcccc
langc
#include <signal.h>
#include <stddef.h>
#include <threads.h>
 
volatile sig_atomic_t flag = 0;

void handler(int signum) {
  flag = 1;
}

/* Runs until user sends SIGUSR1 */
int func(void *data) {
  while (!flag) {
    /* ... */
  }
  return 0;
}

int main(void) {
  signal(SIGUSR1, handler); /* Undefined behavior */
  thrd_t tid;
  
  if (thrd_success != thrd_create(&tid, func, NULL)) {
    /* Handle error */
  }
  /* ... */
  return 0;
}

NOTE: The SIGUSR1 signal value is not defined in the C Standard; consequently, this is not a C-compliant code example.

...

This compliant solution uses an object of type atomic_flagbool to indicate when the child thread should terminate its loop:

Code Block
bgColor#ccccff
langc
#include <stdatomic.h>
#include <stdbool.h>
#include <stddef.h>
#include <threads.h>
 
atomic_bool flag = ATOMIC_VAR_INIT(false);

int func(void *data) {
  while (!flag) {
    /* ... */
  }
  return 0;
}

int main(void) {
  int result;
  thrd_t tid;
  
  if (thrd_success != thrd_create(&tid, func, NULL)) {
    /* Handle error */
  }
  /* ... */
  /* Set flag when done */
  atomic_store(&flag,flag = true);

  return 0;
}

Exceptions

CON37-C-EX1: Implementations such as POSIX that provide defined behavior when multithreaded programs use custom signal handlers are exempt from this rule [IEEE Std 1003.1-2013].

...

Mixing signals and threads causes undefined behavior 135.

Rule

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

CON37-C

Low

Probable

Low

Yes

No

P6

P4

L2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V
stdlib-use-signalFully checked
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADFUNC.SIGNALUse of signal
Coverity
Include Page
Coverity_V
Coverity_V
MISRA C 2012 Rule 21.5Over-constraining
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-con37-c
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5021

C++5022


Klocwork
Include Page
Klocwork_V
Klocwork_V

MISRA.STDLIB.SIGNAL


LDRA tool suite
Include Page
LDRA_V
LDRA_V
44 SEnhanced enforcement
Parasoft C/C++test
9.5MISRA2012-RULE-21_5_b
Include Page
Parasoft_V
Parasoft_V

CERT_C-CON37-a

The signal handling facilities of <signal.h> shall not be used
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule CON37-CChecks for signal call in multithreaded program (rule fully covered)
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
stdlib-use-signalFully checked
Use of signal

Bibliography

[IEEE Std 1003.1-2013]XSH 2.9.1, "Thread Safety"

...


...

Image Modified Image Modified Image Modified