SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 25

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

C99 defines undefined behavior in Section 3.4.3 as:

behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which this International Standard imposes no requirements

...

C99 Annex J.2, "Undefined behavior," contains a list of explicit undefined behaviors in C99.

...

  • to give the implementor license not to catch certain program errors that are difficult to diagnose.
  • to identify areas of possible conforming language extension: the implementor may augment the language by providing a definition of the officially undefined behavior.

Conforming implementations can deal with undefined behavior in a variety of fashions, from such as ignoring the situation completely, with unpredictable results, to ; translating or executing the program in a documented manner characteristic of the environment (with or without the issuance of a diagnostic message), to ; or terminating a translation or execution (with the issuance of a diagnostic message). Because compilers are not obligated to generate code for undefined behavior, these behaviors are candidates for optimization. By assuming that undefined behaviors will not occur, compilers can generate code with better performance characteristics.

Unfortunately, undefined behaviors do occur, particularly in the presence of an an attacker. Optimizations make it difficult to determine how these systems will behave in the presence of undefined behaviors. This is particularly true when visually inspecting source code which that relies on undefined behaviors, ; a code reviewer cannot be certain if the code will be compiled or if it will be optimized out. Furthermore, just because a compiler currently generates object code for an undefined behavior , does not mean that future versions of the compiler are obligated to do the same; this the behavior may be viewed as an opportunity for further optimization. Compilers are also not required to issue diagnostics for undefined behavior, so there is frequently no easy way to identify undefined behavior in code.

...

An example of undefined behavior in C99 is the behavior on signed integer overflow. This non-compliant code example depends on this behavior to catch the overflow:.

Code Block
bgColor#FFCCCC
#include <assert.h>

int foo(int a) {
  assert(a + 100 > a);
  printf("%d %d\n", a + 100, a);
  return a;
}

int main(void) {
  foo(100);
  foo(INT_MAX);
}

This code tests for signed integer overflow by testing to see if a + 100 > a. This test cannot evaluate to false unless an integer overflow occurs. However, because a conforming implementation is not required to generate code for undefined behavior, and signed integer overflow is undefined behavior, this code may be compiled out. For example, gcc GCC version 4.1.1 optimizes out the assertion for all optimization levels, and gcc GCC 4.2.3 optimizes out the assertion for program programs compiled with -O2 level optimization and higher.

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 3.4.3, "undefined behavior," and Section 4, "Conformance," and Annex J.2, "Undefined behavior".
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "EWF Undefined Behaviour"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 5, "Integers"

...