SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 12

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added exception using TR23721-1 functions

...

If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.

ERR02-EX2: One may use a function returning in-band error indicators if one can securely guarantee the program will not try to continue processing should an error occur in the function.

For example, the functions defined in TR24731-1 provide hooks for internal constraint violations. If a constraint violation handler is guarenteed not to return upon an error occurring, then one may safely ignore errors returned by these functions. One might accomplish this by having the constraint violation handler call abort(), or longjmp(), for instance.

See ERR03-A. Use runtime-constraint handlers when calling functions defined by TR24731-1 for more on the functions defined in TR24731-1.

Non-Compliant Code Example (TR24731-1)

Code Block
bgColor#FFCCCC
constraint_handler_t handle_errors() {
 constraint_handler_t data;
 /* define what to do when error occurs */
 return data;
 }
/.../
set_constraint_handler(handle_errors);
/.../
/* Returns zero on success */
 errno_t function(char* dst1){
 char src1100 = "hello";
 strcpy_s( dst1, sizeof(dst1), src1);
 /* At this point strcpy_s may have yielded an
 error and handle_errors() might have returned */
 /* ... */
 return 0;
 }
Compliant Code Example (TR24731-1)
 Code Block
bgColor#CCCCFF
constraint_handler_t handle_errors() {
 /* define what to do when error occurs */
 abort();
 }
/.../
set_constraint_handler(handle_errors);
/.../
/* Returns zero on success */
 errno_t function(char* dst1){
 char src1100 = "hello";
 strcpy_s( dst1, sizeof(dst1), src1);
 /* since handle_errors() never returns,
 we only get here if strcpy_s() succeeds. */
 /* ... */
 return 0;
 }
Risk Analysis
The risk of using in-band error indicators is difficult to quantify, and is consequently given as low. However, if the use of in-band error indicators results in programmers failing or incorrectly checking status code, the consequences can be more severe.
...
 Wiki Markup
\[[Burch 06|AA. C References#Burch06]\]
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "NZN Returning error status"
\[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\]
...
ERR01-A. Use ferror() rather than errno to check for FILE stream errors      13. Error Handling (ERR)       ERR03-A. Use runtime-constraint handlers when calling functions defined by TR24731-1