The macro expansion must always be parenthesized to protect any lower-precedence operators from the surrounding expression. See also [[PRE01]].
Non-Compliant Code Example
This CUBE() macro definition is non-compliant because it fails to parenthesize the macro expansion.
#define CUBE(X) (X) * (X) * (X) int i = 3; int a = 81 / CUBE(i);
As a result, the invocation
int a = 81 / CUBE(i);
expands to
int a = 81 / i * i * i;
which evaluates as
int a = ((81 / i) * i) * i); /* evaluates to 243 */
while the desired behavior is
int a = 81 / ( i * i * i); /* evaluates to 3 */
Compliant Solution
By parenthesizing the macro expansion, the CUBE() macro expands correctly (when invoked in this manner).
#define CUBE(X) ((X) * (X) * (X)) int i = 3; int a = 81 / CUBE(i);
However, if a parameter appears several times in the expansion, the macro may not work properly if the actual argument is an expression with side effects. Given the CUBE() macro above, the invocation
int a = 81 / CUBE(i++);
expands to
int a = 81 / (i++ * i++ * i++);
which is undefined (see [[EXP30]]).
Risk Assessment
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
PRE02-A |
1 (low) |
1 (unlikely) |
3 (low) |
P3 |
L3 |
Examples of vulnerabilities resulting from the violation of this recommendation can be found on the
CERT website.
References
[[Summit 05]] Question 10.1
[[ISO/IEC 9899-1999]] Section 6.10, "Preprocessing directives," and Section 5.1.1, "Translation environment"