The C90 standard allows for implicit typing of variables and functions. Because implicit declarations lead to less stringent type checking, they can often introduce unexpected and erroneous behavior or even security vulnerabilities.
The C99 standard The current C standard [ISO/IEC 9899:2011] requires type identifiers and forbids implicit function declarations. After issuing the diagnostic, an implementation may choose to assume an implicit declaration and continue translation to support existing programs that used this feature.
Noncompliant Code Example (Implicit int)
C90 Section 6.5.2 allows for the absence of type specifiers in a declaration. In these cases, the type is defined to be that of a signed int.
Do not rely on implicit int typing. C99C11, Section 6.7.2 , "Type specifiers" states[ISO/IEC 9899:2011], states:
At least one type specifier shall be given in the declaration specifiers in each declaration, and in the specifier-qualifier list in each
structdeclaration and type name.
...
Most C90 implementations do not issue a diagnostic for the violation of this C99 constraint. Many C99 C translators will continue to treat such declarations as implying the type int.
...
Implicit declaration of functions is not allowed: every function must be explicitly declared before it can be called. In C89, if a function is called without an explicit prototype, the compiler provides an implicit declaration.
The C90 Standard standard includes this requirement:
If the expression that precedes the parenthesized argument list in a function call consists solely of an identifier, and if no declaration is visible for this identifier, the identifier is implicitly declared exactly as if, in the innermost block containing the function call, the declaration
extern int identifier();appeared.
A C99 implementation and later implementation will not perform implicit function declarations.
...
extern int func();
However, to conform with C99the C standard, you must explicitly prototype every function before invoking it. This noncompliant example fails to prototype the foo() function before invoking it in main().
...
For more information on function declarations, see recommendation DCL07-C. Include the appropriate type information in function declarators.
...
Because the compiler assumes that foo() returns a value of type int, UINT_MAX is incorrectly converted to -1−1.
Compliant Solution (Implicit Return Type)
...
Tool | Version | Checker | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Section | GCC |
|
| | Section | Can detect violations of this rule when the . | |||||||
Compass/ROSE |
|
| section | |||||||||
| | Section | IF_MISS_DECL RETVOID.IMPLICIT |
| |||||||||
| Section | |
| 24 D | Fully Implementedimplemented. | ||||||||
| Section | |
| | Section | decltype section | Fully Implementedimplemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC 9899:19992011 Section 6.7.2, "Type specifiers," , Section 6.5.2.2, "Function calls"
ISO/IEC TR 24772 "OTR Subprogram Signature Mismatchsignature mismatch"
Bibliography
...