SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user Lee Mancuso

Saved on

compared with

New Version 42

changes.mady.by.user David Keaton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prevent or detect domain errors and range errors in math functions before using the results in further computations. Most of the math functions can fail, if they are given arguments which do not produce a proper result. For example, the square root of a negative number, such as sqrt(-1.0), has no meaning in real arithmetic. This is known as a domain error; the argument is outside the domain over which the function is defined. For another example, ten raised to the one-millionth power, pow(10., 1e6), cannot be represented in any (current) floating point representation. This is known as a range error; the result cannot be represented as a proper double number. In all such error cases, the function will return some value, but the value returned is not the correct result of the computation.

...

Non-Compliant Coding Example (error checking)

The extract exact treatment of error conditions from math functions is quite complex complicated (see C99 Section 7.12.1, "Treatment of error conditions".

...

It is best not to check for errors by comparing the returned value against HUGE_VAL or zero) for several reasons. First of all, these are in general valid (albeit unlikely) data values. Secondly, making such tests requires detailed knowledge of the various error returns for each math function. Also, there are three different possibilities - ; -HUGE_VAL, 0, and HUGE_VAL - ; and you must know which are possible in each case. Finally, different versions of the library have differed in their error-return behavior.

It is also difficult to check for math errors using errno since an implementation might not set it.  For real functions, the programmer can test whether the implementation sets errno because in that case math_errhandling & MATH_ERRNO is nonzero.  For complex functions, the C Standard section 7.3.2 simply states that setting errno is optional.

Compliant Solution (error checking)

A more The most reliable way to test for errors is by using the global variable errno. This variable is set to a non-zero value by any of the math functions that encounters an error. Thus, setting errno to zero prior to a computation, and testing it afterwards, reveals if any library errors were reported during the computation checking its arguments beforehand, as in the following compliant solution:

Code Block
bgColor#ccccff
errno = 0;
if (/* perform computation */
if (errno != 0arguments will cause a domain or range error */) {
  /* handle the error */
}
else {
  /* perform computation succeeded */
}

Implementation Details

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.3, "Complex arithmetic <complex.h>"
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.12, "Mathematics <math.h>"
\[[Plum 85|AA. C References#Plum 85]\] Rule 2-2
\[[Plum 89|AA. C References#Plum 91]\] Topic 2.10, "conv - conversions and overflow"

...