Page History

...

All of this puts the onus on the programmer to write strictly conforming code, with or without the help of the compiler. Because performance is a primary emphasis of the C language, this situation is likely to get worse before it gets better.

...

Noncompliant Code Example

An example of undefined behavior in C99 is the behavior on signed integer overflow. This non-compliant noncompliant code example depends on this behavior to catch the overflow.

...

On some platforms, the integer overflow will cause the program to terminate (before it has an opportunity to test).

Compliant Solution

This compliant solution does not depend on undefined behavior because it generates code to test for overflow in the assertion.

#include <assert.h>

int foo(int a) {
  assert(a < (INT_MAX - 100));
  printf("%d %d\n", a + 100, a);
  return a;
}

int main(void) {
  foo(100);
  foo(INT_MAX);
}

Risk Assessment

While it is rare that the entire application can be strictly conforming, the goal should be that almost all the code is allowed for a strictly conforming program (which among other things means that it avoids undefined behavior), with the implementation-dependent parts confined to modules that the programmer knows he needs to adapt to the platform when it changes.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 3.4.3, "undefined behavior," Section 4, "Conformance," and Annex J.2, "Undefined behavior"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "BQF Unspecified Behaviour"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "EWF Undefined Behaviour"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "FAB Implementation-defined Behaviour"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 5, "Integers"

...