switch statement as discussed above).
A C enumeration defines a type with a finite set of values represented by identifiers known as enumeration constants, or enumerators. An enumerator is a constant integer expression whose value is representable as an int. While the language allows multiple enumerators of the same type to have the same value, it is a common expectation that all enumerators of the same type have distinct values. However, defining two or more enumerators of the same type to have the same value can lead to some nonobvious errors.
In this noncompliant code example, two enumerators of type Color are assigned explicit values. It may not be obvious to the programmer that yellow and indigo have been declared to be identical values (6), as are green and violet (7). Probably the least dangerous error that can result from such a definition is attempting to use the enumerators as labels of a switch statement. Since all labels in a switch statement are required to be unique, the following code violates this semantic constraint and is required to be diagnosed by a conforming compiler:
enum Color { red=4, orange, yellow, green, blue, indigo=6, violet };
const char* color_name(enum Color col) {
switch (col) {
case red: return "red";
case orange: return "orange";
case yellow: return "yellow";
case green: return "green";
case blue: return "blue";
case indigo: return "indigo"; // error: duplicate label (yellow)
case violet: return "violet"; // error: duplicate label (green)
}
}
|
To prevent the error discussed above enumeration type declarations must take one of the following forms:
enum Color { red, orange, yellow, green, blue, indigo, violet };
|
enum Color { red=4, orange, yellow, green, blue, indigo, violet };
|
enum Color {
red=4,
orange=5,
yellow=6,
green=7,
blue=8,
indigo=6,
violet=7
};
|
It is also advisable to provide a comment explaining why multiple enumeration type members are being assigned the same value so that future maintainers don't mistakenly identify this as an error.
Of these three options, the first — "provide no explicit integer assignments" — is the simplest, and consequently the preferred, approach unless the first enumerator must have non-zero value.
INT09-EX1: In cases where defining an enumeration with two or more enumerators with the same value is intended the constant expression used to define the value of the duplicate enumerator should reference the enumerator rather than the original enumerators value. This makes the intent clear to both human readers of the code as well as automated code analysis tools that detect violations of this guideline and would diagnose them otherwise. Note, however, that this does not make it possible to use such enumerators in contexts where unique values are required (such as in a
switch statement as discussed above).
enum Color { red, orange, yellow, green, blue, indigo, violet=indigo };
|
Failing to ensure that constants within an enumeration have unique values can result in unexpected results.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
INT09-C |
low |
probable |
medium |
P4 |
L3 |
The LDRA tool suite V 7.6.0 can detect violations of this recommendation.
Compass/ROSE can detect violations of this recommendation.
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
This rule appears in the C++ Secure Coding Standard as INT09-CPP. Ensure enumeration constants map to unique values.
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.7.2.2, "Enumeration specifiers" \[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "CCB Enumerator issues" \[[MISRA 04|AA. Bibliography#MISRA 04]\] Rule 9.3 |
04. Integers (INT) INT11-C. Take care when converting from pointer to integer or integer to pointer