SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 27

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 28

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Software vulnerabilities can result when a programmer fails to consider all possible data states.

"may result in logic errors if widget_type unexpectedly assumes a different value" should have appended "or if its valid range is expanded during code maintenance and the programmer overlooks the need to add a case to the switch".

Is adding a default case really an instance of "remove dead code"? It seems like more of an exception, where unreachable code is added as a precautionary measure.

I think a useful common practice should be shown by using
default: /* "can't happen" */
which shows that it handles an internal logic error.

Non-Compliant Code Example

...

This non-compliant code example fails to consider all possible cases. This may be the correct behavior in this case, but failure to account for all the values of widget_type may result in logic errors if widget_type unexpectedly assumes a different value or if its valid range is expanded during code maintenance and the programmer overlooks the need to add a case to the switch.

This is particularly problematic in C, because an identifier declared as an enumeration constant has type int. Therefore, a programmer can accidentally assign an arbitrary integer value to an enum type as shown in this example.

...

Microsoft Visual C++ .NET with /W4 does not warn when assigning an integer value to an enum type, or when the switch statement does not contain all possible values of the enumeration.

...

Code Block
bgColor#ccccff
enum WidgetEnum { WE_W, WE_X, WE_Y, WE_Z } widget_type;

widget_type = WE_X;

switch (widget_type) {
  case WE_W:
    /* ... */
    break;
  case WE_X:
    /* ... */
    break;
  case WE_Y:
    /* ... */
    break;
  case WE_Z:
    /* ... */
    break;
  default:  /* can't happen */
    /* handle error condition */
    break;
}

Adding a default case to a switch statement, even when all possible switch labels are specified, is an instance of allowable exception (MSC07-EX1) to MSC07-A. Detect and remove dead code, as the unreachable code is added as a precautionary measure.

Historical Discussion

This practice has been a subject of debate for some time, but a clear direction has emerged.

...