It is necessary to understand how macro replacement works in C, particularly in the context of concatenating tokens using the ##
operator and converting macro parameters to strings using the #
operator.
Concatenating Tokens
The ##
preprocessing operator is used to merge two tokens into one while expanding macros, which is called token pasting or token concatenation. When a macro is expanded, the two tokens on either side of each ##
operator are combined into a single token that replaces the ##
and the two original tokens in the macro expansion [FSF 2005].
Token pasting is most useful when one or both of the tokens come from a macro argument. If either of the tokens next to a ##
is a parameter name, it is replaced by its actual argument before ##
executes. The actual argument is not macro expanded first.
Stringification
Parameters are not replaced inside string constants, but the #
preprocessing operator can be used instead. When a macro parameter is used with a leading #
, the preprocessor replaces it with the literal text of the actual argument converted to a string constant [FSF 2005].
Noncompliant Code Example
The following definition for static_assert()
from DCL03-C. Use a static assertion to test the value of a constant expression uses the JOIN()
macro to concatenate the token assertion_failed_at_line_
with the value of __LINE__
:
Code Block |
---|
#define static_assert(e) \
typedef char JOIN(assertion_failed_at_line_, __LINE__) \
[(e) ? 1 : -1]
|
__LINE__
is a predefined macro name that expands to an integer constant representing the presumed line number of the current source line within the current source file. If the intention is to expand the __LINE__
macro, which is likely the case here, the following definition for JOIN()
is noncompliant because the __LINE__
is not expanded, and the character array is subsequently named assertion_failed_at_line___LINE__
:
Code Block | ||||
---|---|---|---|---|
| ||||
#define JOIN(x, y) x ## y
|
Compliant Solution
To get the macro to expand, a second level of indirection is required, as shown by this compliant solution:
Code Block | ||||
---|---|---|---|---|
| ||||
#define JOIN(x, y) JOIN_AGAIN(x, y)
#define JOIN_AGAIN(x, y) x ## y
|
JOIN(x, y)
calls JOIN_AGAIN(x, y)
so that if x
or y
is a macro, it is expanded before the ##
operator pastes them together.
Note also that macro parameters cannot be individually parenthesized when concatenating tokens using the ##
operator, converting macro parameters to strings using the #
operator, or concatenating adjacent string literals. This is an exception, PRE01-C-EX2, to PRE01-C. Use parentheses within macros around parameter names.
Noncompliant Code Example
This example is noncompliant if the programmer's intent is to expand the macro before stringification:
Code Block | ||||
---|---|---|---|---|
| ||||
#define str(s) #s
#define foo 4
str(foo)
|
The macro invocation str(foo)
expands to foo
.
Compliant Solution
To stringify the result of expansion of a macro argument, two levels of macros must be used:
Code Block | ||||
---|---|---|---|---|
| ||||
#define xstr(s) str(s)
#define str(s) #s
#define foo 4
|
The macro invocation xstr(foo)
expands to 4
because s
is stringified when it is used in str()
, so it is not macro expanded first. However, s
is an ordinary argument to xstr()
, so it is completely macro expanded before xstr()
is expanded. Consequently, by the time str()
gets to its argument, it has already been macro expanded.
Risk Assessment
Use parenthesis around any macro definition that contains operators.
Non-Compliant Coding Example
In this non-compliant coding example, EOF
is defined as -1
. This macro definition consists of a unary negation operator '-' followed by an integer literal '1'.
Code Block | ||
---|---|---|
| ||
#define EOF -1
/* ... */
if (c EOF) {
/* ... */
}
|
Wiki Markup |
---|
In this example, the programmer has mistakenly omitted the comparison operator (see \[[MSC02-A. Avoid errors of omission]\]) from the conditional statement which should be {{c != EOF}}. After macro expansion, the conditional expression is incorrectly evaluated as a binary operation: {{c-1}}. This is syntactically correct, even though it is certainly not what the programmer intended. |
Parenthesizing the -1
in the declaration of EOF
ensures that the macro expansion is evaluated correctly.
Code Block |
---|
#define EOF (-1)
|
Once this modification is made, the non-compliant code example no longer compiles as the macro expansion results in the conditional expression c (-1)
, which is no longer syntactically valid.
Compliant Solution
The following compliant solution uses parenthesis around the macro definition and adds the (previously omitted) comparison operator.
Code Block | ||
---|---|---|
| ||
#define EOF (-1)
/* ... */
if (c != EOF) {
/* ... */
}
|
Risk Assessment
Failure to use parenthesis around macro definitions that contain operators can result in unintended program behavior.
Rule
Recommendation |
---|
Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|
PRE05- |
1 (low)
1 (unlikely)
2 (medium)
P2
L3
C | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-PRE05 | |||||||
CodeSonar |
| LANG.PREPROC.HASH LANG.PREPROC.PASTE | Macro uses # operator Macro uses ## operator | ||||||
Helix QAC |
| C0341, C0342, C0801, C0802, C0803, C0811, C0872, C0880, C0881, C0884 | |||||||
Klocwork |
| MISRA.DEFINE.SHARP.ORDER.2012 | |||||||
LDRA tool suite |
| 76 S, 125 S, 637 S | Enhanced Enforcement | ||||||
PC-lint Plus |
| 9024 | Assistance provided: reports any use of pasting or stringizing operators in a macro definition |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Related Guidelines
SEI CERT C++ Coding Standard | VOID PRE05-CPP. Understand macro replacement when concatenating tokens or performing stringification |
Bibliography
[FSF 2005] | Section 3.4, "Stringification" Section 3.5, "Concatenation" |
[Saks 2008] |
...
\[[Plum 85|AA. C References#Plum 85]\] Rule 1-1
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.10, "Preprocessing directives," and Section 5.1.1, "Translation environment" Wiki Markup