SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 99

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

...

  • The alignment of bit-fields in the storage unit . For (for example, the bit-fields may be allocated from the high end or the low end of the storage unit.)
  • Whether or not bit-fields can overlap a storage unit boundary.

Consequently, it is impossible to write portable safe code that makes assumptions regarding the layout of bit-field structure members.

...

Code Block
bgColor#ffcccc
langc
struct bf {
  unsigned int m1 : 8;
  unsigned int m2 : 8;
  unsigned int m3 : 8;
  unsigned int m4 : 8;
}; /* 32 bits total */

void function() {
  struct bf data;
  unsigned char *ptr;

  data.m1 = 0;
  data.m2 = 0;
  data.m3 = 0;
  data.m4 = 0;
  ptr = (unsigned char *)&data;
  (*ptr)++; /* canCan increment data.m1 or data.m4 */
}

...

Noncompliant Code Example (Bit-Field Overlap)

In the following this noncompliant code example, assuming 8 bits to a byte, if bit-fields of 6 and 4 bits are declared, is each bit-field contained within a byte, or are the bit-fields split across multiple bytes?

Code Block
bgColor#ffcccc
langc
struct bf {
  unsigned int m1 : 6;
  unsigned int m2 : 4;
};

void function() {
  unsigned char *ptr;
  struct bf data;
  data.m1 = 0;
  data.m2 = 0;
  ptr = (unsigned char *)&data;
  ptr++;
  *ptr += 1; /* whatWhat does this increment? */
}

...

Making invalid assumptions about the type of type-cast data, especially bit-fields, can result in unexpected data values.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

EXP11-C

Medium

medium

Probable

probable

No

medium

No

P8

P4

L2

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée reports runtime errors resulting from invalid assumptions.
Compass/ROSE

 

 



Can detect violations of this recommendation. Specifically, it reports violations if

a pointer
    • A pointer to one object is type cast to the pointer of a different object
the
    • The pointed-to object of the (type cast) pointer is then modified arithmetically
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0310, C0751
LDRA tool suite
Include Page
LDRA_V
LDRA_V
94 S
95

554 S

Fully implemented

PRQA QA-C
Polyspace Bug Finder

Include Page

PRQA

Polyspace Bug Finder_V

PRQA

Polyspace Bug Finder_V

0310Partially implemented
CERT C: Rec. EXP11-C

Checks for bit fields accessed using pointer.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.

Related Guidelines

SEI CERT C++
Secure
Coding StandardVOID EXP11-CPP. Do not apply operators expecting one type to data of an incompatible type
ISO/IEC TR 24772:2013Bit Representations [STR]
MISRA C:2012Directive 1.1 (required)

Bibliography

[Plum 1985]Rule 6-5: In portable code, do not depend upon the allocation order of bit-fields within a word

...


...

Image Modified Image Modified Image Modified