SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 245

changes.mady.by.user Kris Kafka

Saved on

compared with

New Version 246

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V

uninitialized-local-read

uninitialized-variable-use

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP33
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.MEM.UVARUninitialized variable
Compass/ROSE

Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well

Coverity
Include Page
Coverity_V
Coverity_V

UNINIT

Implemented
Cppcheck
Include Page
Cppcheck_V
Cppcheck_V

uninitvar
uninitdata
uninitstring
uninitMemberVar
uninitStructMember

Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.)
There are FN compared to some other tools because Cppcheck tries to avoid FP in impossible paths.

GCC4.3.5

Can detect some violations of this rule when the -Wuninitialized flag is used

Klocwork
Include Page
Klocwork_V
Klocwork_V

UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST


LDRA tool suite
Include Page
LDRA_V
LDRA_V

53 D, 69 D, 631 S, 652 S

Fully implemented

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP33-a

Avoid use before initialization

Parasoft Insure++

Include Page
Parasoft_V
Parasoft_V


Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

530, 603, 644, 901

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP33-C


Checks for:

  • Non-initialized variable
  • Non-initialized pointer

Rule partially covered

PRQA QA-C
Include Page
PRQA QA-C_v
PRQA QA-C_v

2726, 2727, 2728, 2961, 2962, 2963, 2966,

2967, 2968, 2971, 2972, 2973, 2976, 2977,

2978

Fully implemented
PRQA QA-C++
Include Page
cplusplus:PRQA QA-C++_V
cplusplus:PRQA QA-C++_V

2961, 2962, 2963, 2966, 2967, 2968, 2971,

2972, 2973, 2976, 2977, 2978


PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V573, V614, V670, V679, V1050

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V

uninitialized-local-read

Partially checked
Splint3.1.1

TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

initialisation
Exhaustively verified (see one compliant and one non-compliant example).
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C: 2726, 2727, 2728, 2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978

Related Vulnerabilities

CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].

...