...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL30-C | high | probable | high | P6 | L2 |
Automated Detection
The LDRA tool suite Version 7.6.0 can detect violations of this rule.
Fortify SCA Version 5.0 can detect violations when an array is declared in a function and then a pointer to that array is returned.
Splint Version 3.1.1 can detect violations of this rule.
Compass/ROSE can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.
The Coverity Prevent RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.
...
Tool | Compliance |
|---|---|
GCC | n/a |
Rose | partial |
LDRA | yes |
Fortify | yes |
Coverity | RETURN_LOCAL |
Splint | yes |
Klocwork | LOCRET |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
Cross References
Standard | Document |
|---|---|
Cert C | n/a |
Cert C++ | n/a |
Cert Java | n/a |
MISRA | Rule 8.6 |
CWE | n/a |
This rule appears in the C++ Secure Coding Standard as DCL30-CPP. Declare objects with appropriate storage durations.
References
| Wiki Markup |
|---|
\[[Coverity 07|AA. C References#Coverity 07]\] \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions" \[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "DCM Dangling references to stack frames" \[[MISRA 04|AA. C References#MISRA 04]\] Rule 8.6 |
...