Two consecutive question marks signify the start of a trigraph sequence. According to the C99 Standard C standard [ISO/IEC 9899:19992011]
All occurrences in a source file of the following sequences of three characters (that is, trigraph sequences) are replaced with the corresponding single character.
??=
#
??)
]
??!
|
??(
[
??'
^
??>
}
??/
\
??<
{
??-
~
Noncompliant Code Example
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
// what is the value of a now??/
a++;
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
// what is the value of a now? ?/
a++;
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
size_t i = /* some initial value */;
if (i > 9000) {
if (puts("Over 9000!??!") == EOF) {
/* Handle Error */
}
}
|
This example prints Over 9000!| if a C99C-compliant compiler is used.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
size_t i = /* some initial value */;
/* assignment of i */
if (i > 9000) {
if (puts("Over 9000!?""?!") == EOF) {
/* Handle Error */
}
}
|
...
Inadvertent trigraphs can result in unexpected behavior. Some compilers provide options to warn when trigraphs are encountered or to disable trigraph expansion. Use the warning options and ensure your code compiles cleanly. (See recommendation MSC00-C. Compile cleanly at high warning levels.)
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
PRE07-C | low | unlikely | medium | P2 | L3 |
Automated Detection
| Tool | Version | Checker | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Section | |
| 81 S | | Section | | ||||||||
| Section | |
| section | Can detect violation of this recommendation when the | |||||||||
| | Section | dtrigraf Section | | Fully Implementedimplemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
CERT C++ Secure Coding Standard: PRE07-CPP. Avoid using repeated question marks
ISO/IEC 9899:19992011 Section 5.2.1.1, "Trigraph sequences"
...