SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 35

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Assume an initial list of async-safe functions. This list would be specific to each OS, although POSIX does require a set of functions to be async-safe.
  2. All application defined functions that satisfy the async-safe property in that only call functions in the list of async-safe functions or modifies only sig_atomic_t variables are added to the async-safe function list. This handles the interprocedural case of calling a function in a signal handler that was itself an async-safe function.
  3. Traverse the abstract syntax tree (AST) to identify function calls to the signal function signal(int, void (*f)(int)).
  4. At each function call to signal(int, void (*f)(int)) get the second argument from the argument list. To make sure that this is not an overloaded function the function type signature is evaluated and/or the location of the declaration of the function is verified to be from the correct file (because this is not a link-time analysis it is not possible to test the library implementation). Any definition for signal() in the application is suspicious, because it should be in a library.
  5. Perform a nested query on the registered signal handler to get the list of functions that are called. Verify that each function being called is in the list of async-safe functions. To avoid repeatedly reviewing each function, the result of the first test of the function should be stored.
  6. Perform a nested query (can be combined with the one in the previous step) to identify all referenced objects with static storage duration. Verify that none of these objects are referenced as an rvalue, and that for each object referenced as an lvalue, that the type is sig_atomic_t or can be stripped away to a type for which sig_atomic_t is the base type (this handles the case of layers of typedef}}s hiding that a variable may really be of {{typed sig_atomic_t, but just not obviously so. The result from this analysis could be stored in the same location as the information from the previous step.
  7. If a violation is detected in either of the preceding two steps, report a violation (either a call to a non-asynch safe function or modification of a variable that was not sig_atomic_t).

...