SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 108

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 109

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
When used in program logic, literals can reduce the readability of source code.  As a result, literals in general, and integer constants in particular, are frequently called _magic numbers_ because their purpose is often obscured. Magic numbers may be constant values that represent either an arbitrary value (such as a determined appropriate buffer size) or a malleable concept (such as the age a person is considered an adult, which can change between geopolitical boundaries). Rather than embed literals in program logic, use appropriately named symbolic constants to clarify the intent of the code. In addition, if a specific value needs to be changed, reassigning a symbolic constant once is more efficient and less error prone than replacing every instance of the value \[[Saks 022002|AA. Bibliography#Saks 02]\].

...

Wiki Markup
{{const}}\-qualified objects are likely to incur some runtime overhead  \[[Saks 01b2001b|AA. Bibliography#Saks 02]\]. Most C compilers, for example, allocate memory for {{const}}\-qualified objects. {{const}}\-qualified objects declared inside a function body may have automatic storage duration. If so, the compiler will allocate storage for the object, and it will be on the stack. As a result, this storage will need to be allocated and initialized each time the containing function is invoked.

...

defines buffer_size as a macro whose value is 256. The preprocessor substitutes macros before the compiler does any other symbol processing. Later compilation phases never see macro symbols, such as buffer_size; they see only the source text after macro substitution. As a result, many compilers do not preserve macro names among the symbols they pass on to their debuggers.

...

In this compliant solution, the integer literal is replaced with an enumeration constant. (see See guideline DCL00-C. Const-qualify immutable objects.).

Code Block
bgColor#ccccff
enum { BUFFER_SIZE=256 };

char buffer[BUFFER_SIZE];
/* ... */
fgets(buffer, BUFFER_SIZE, stdin);

...

Frequently, it is possible to obtain the desired readability by using a symbolic expression composed of existing symbols rather than by defining a new symbol. For example, a sizeof expression can work just as well as an enumeration constant. (see See guideline EXP09-C. Use sizeof to determine the size of a type or variable.).

Code Block
bgColor#ccccff
char buffer[256];
/* ... */
fgets(buffer, sizeof(buffer), stdin);

Wiki Markup
Using the {{sizeof}} expression in this example reduces the total number of names declared in the program, which is generally a good idea \[[Saks 022002|AA. Bibliography#Saks 02]\].  The {{sizeof}} operator is almost always evaluated at compile time (except in the case of variable-length arrays).

When working with sizeof(), keep in mind guideline ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array.

...

Note that this example does not check for invalid operations (taking the sqrt() of a negative number). See guideline FLP32-C. Prevent or detect domain and range errors in math functions, for more information on detecting domain and range errors in math functions.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL06-C

low

unlikely

medium

P2

L3

Automated Detection

...

Tool

Version

Checker

Description

Section

LDRA tool suite

...

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

Compass/ROSE

 

 

Section

could detect violations of this recommendation, merely by searching for the use of 'magic numbers' and magic strings in the code itself. That is, any number (besides a few canonical numbers: -1, 0, 1, 2) that appears in the code anywhere besides being assigned to a variable is a magic number, and should instead be assigned to a const integer, enum, or macro. Likewise any string literal (except "" and individual characters) that appears in the code anywhere besides being assigned to a char* or char[] is a magic string.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : DCL06-CPP. Use meaningful symbolic constants to represent literal values in program logic.

Bibliography

Wiki Markup
\[[Henricson 921992|AA. Bibliography#Henricson 92]\] Chapter 10, "[Constants|http://www.doc.ic.ac.uk/lab/cplus/c++.rules/chap10.html]"
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.3.2.1, "Lvalues, arrays, and function designators," Section 6.7, "Declarations," Section 6.7.2.2, "Enumeration specifiers," and Section 6.10.3, "Macro replacement"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "BRS Leveraging human experience"
\[[MITRE 072007|AA. Bibliography#MITRE 07]\] [CWE ID 547|http://cwe.mitre.org/data/definitions/547.html], "Use of Hard-coded, Security-relevant Constants"
\[[Saks 01a2001a|AA. Bibliography#Saks 01]\]
\[[Saks 01b2001b|AA. Bibliography#Saks 02]\]
\[[Saks 022002|AA. Bibliography#Saks 02]\]
\[[Summit 052005|AA. Bibliography#Summit 05]\] [Question 10.5b|http://c-faq.com/cpp/constvsdefine.html]

...