Page History

Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities. (See recommendation MSC11-C. Incorporate diagnostic tests using assertions.) The runtime assert() macro has some limitations, however, in that it incurs a runtime overhead and because it calls abort(). Consequently, the runtime assert() macro is only useful for identifying incorrect assumptions and not for runtime error checking. As a result, runtime assertions are generally unsuitable for server programs or embedded systems.

Static assertion is a new facility in the C1X draft C standard [Jones 2010ISO/IEC 9899:2011] and the C++ 0X draft standard [Becker 2008] and . It takes the form

static_assert(constant-expression, string-literal);

According to section C11, Section 6.7.10 of the C1X draft standard, states:

The constant expression shall be an integer constant expression. If the value of the
constant the constant expression compares unequal to 0, the declaration has no effect. Otherwise, the
constraint the constraint is violated and the implementation shall produce a diagnostic message that
includes that includes the text of the string literal, except that characters not in the basic source
character set are not required to appear in the message.

This means that if constant-expression is true, nothing will happen. However, if constant-expression is false, an error message containing string-literal will be output at compile - time.

/* Passes */
static_assert(
  sizeof(int) <= sizeof(void*), 
  "sizeof(int) <= sizeof(void*)"
); 

/* Fails */
static_assert(
  sizeof(double) <= sizeof(int), 
  "sizeof(double) <= sizeof(int)"
);

...

struct timer {
  uint8_t MODE;
  uint32_t DATA;
  uint32_t COUNT;
};

int func(void) {
  assert(offsetof(timer, DATA) == 4);
}

While the Although the use of the runtime assertion is better than nothing, it needs to be placed in a function and executed. This means that it is usually far away from the definition of the actual structure to which it refers. The diagnostic occurs only at runtime and only if the code path containing the assertion is executed.

...

struct timer {
  uint8_t MODE;
  uint32_t DATA;
  uint32_t COUNT;
};

#if (offsetof(timer, DATA) != 4)
  #error "DATA must be at offset 4"
#endif

...

Unfortunately, this solution is not portable. C99 does  The C standard does not require that implementations support sizeof, offsetof, or enumeration constants in #if conditions. According to Section 6.10.1, "Conditional inclusion," all identifiers in the expression that controls conditional inclusion either are or are not macro names. Some compilers allow these constructs in conditionals as an extension, but most do not.

...

struct timer {
  uint8_t MODE;
  uint32_t DATA;
  uint32_t COUNT;
};

static_assert(offsetof(struct timer, DATA) == 4, "DATA must be at offset 4");

Static assertions allow incorrect assumptions to be diagnosed at compile time , instead of resulting in a silent malfunction or runtime error. Because the assertion is performed at compile time, no runtime cost in space or time is incurred. An assertion can be used at file or block scope, and failure results in a meaningful and informative diagnostic error message.

Other uses of static assertion are shown in recommendation STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code and rule FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char).

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

C++ Secure Coding Standard: DCL03-CPP. Use a static assertion to test the value of a constant expression

ISO/IEC 9899:19992011 Section 6.10.1, "Conditional inclusion," and Section 6.10.3.3, "The ## operator," and Section 7.2.1, "Program diagnostics"

...