SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 57

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 58

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example fails to test for conditions where a is neither b nor c. This may be the correct behavior in this case, but failure to account for all the values of a may can result in logic errors if a unexpectedly assumes a different value.

...

This noncompliant code example fails to consider all possible cases. This may can be the correct behavior in this case, but failure to account for all the values of widget_type may can result in logic errors if widget_type unexpectedly assumes a different value or if its valid range is expanded during code maintenance, and the programmer overlooks the need to add a case to the switch.

...

Adding a default case to a switch statement, even when all possible switch labels are specified, is an allowable exception (MSC07-EX1) to guideline recommendation MSC07-C. Detect and remove dead code, as the unreachable code is added as a precautionary measure.

...

Originally, the consensus among those writing best practices was simply that each switch statement should have a default label. Eventually there emerged , emerging compilers and static analysis tools that could verify that a switch on an enum type contained a case label for each enumeration value, but only if no default label existed. This led to a shift toward purposely leaving out the default label to allow static analysis. However, the resulting code was then vulnerable to enum variables being assigned int values outside the set of enum values.

...

The flaw in the code occurs when days has the value 366 , because the loop never terminates. This bug manifested itself on the 366th day of 2008, which was the first leap year in which this code was active.

...

Tool

Version

Checker

Description

Section

LDRA tool suite

Include Page
c:LDRA_V
c:LDRA_V

 

 

Section

GCC

Include Page
c:GCC_V
c:GCC_V

 

Section

can detect some violations of this recommendation when the -Wswitch and -Wswitch-default flags are used

Section

Compass/ROSE

 

 

Section

can detect some violations of this recommendation. In particular, it flags switch statements that do not have a default clause. ROSE should also detect "fake switches," as well ...(that is, a chain of if statements each checking the value of the same variable). These if statements should always end in an "else" clause, or they should mathematically cover every possibility. For instance, consider the following:

Code Block
bgColor#ccccff
  if (x > 0) {
	  /* ... */
  } else if (x < 0) {
    /* ... */
  } else if (x == 0) {
    /* ... */
  }
Section

Klocwork

Include Page
c:Klocwork_V
c:Klocwork_V
Section

LA_UNUSED

 

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: MSC01-CPP. Strive for logical completeness

ISO/IEC TR 24772 "CLL Switch statements and static analysis"

Bibliography

Wiki Markup
\[[Hatton 1995|AA. Bibliography#Hatton 95]\] Section 2.7.2, "Errors of omission and addition"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "CLL Switch statements and static analysis"
\[[Viega 2005|AA. Bibliography#Viega 05]\] Section 5.2.17, "Failure to account for default case in switch"
\[[http://www.aeroxp.org/2009/01/lesson-on-infinite-loops]\] for analysis on the Zune 30 bug

...