SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 22

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Use Using type definitions (typedef) to can often improve code readability.

...

. However, type definitions to pointer types can make it more difficult to write const-correct code because the const qualifier will be applied to the pointer type, not to the underlying declared type.

Noncompliant Code Example

The following declaration of the signal() function does not make use of typedef names and is consequently hard to read.type definition improves readability at the expense of introducing a const-correctness issue. In this example, the const qualifier applies to the typedef instead of to the underlying object type. Consequently, func does not take a pointer to a const struct obj but instead takes a const pointer to a struct obj.

Code Block
bgColor#FFcccc
langc
struct obj {
  int i;
  float f;
};
typedef struct obj *ObjectPtr;
 
void func(const ObjectPtr o) {
  /* Can actually modify o's contents, against expectations */
}

Compliant Solution

This compliant solution makes use of type definitions but does not declare a pointer type and so cannot be used in a const-incorrect manner:

Code Block
bgColor#ccccff
langc
struct obj {
  int i;
  float f;
};
typedef struct obj Object;
 
void func(const Object *o) {
  /* Cannot modify o's contents */
}

Noncompliant Code Example (Windows)

The Win32 SDK headers make use of type definitions for most of the types involved in Win32 APIs, but this noncompliant code example demonstrates a const-correctness bug:

Code Block
bgColor#FFcccc
langc
#include <Windows.h>
/* typedef char *LPSTR; */
 
void func(const LPSTR str) {
  /* Can mutate str's contents, against expectations */
}

Compliant Solution (Windows)

This compliant solution demonstrates a common naming convention found in the Win32 APIs, using the proper const type:

Code Block
bgColor#ccccff
langc
#include <Windows.h>
/* typedef const char *LPCSTR; */
 
void func(LPCSTR str) {
  /* Cannot modify str's contents */
}

Noncompliant Code Example (Windows) 

Note that many structures in the Win32 API are declared with pointer type definitions but not pointer-to-const type definitions (LPPOINT, LPSIZE, and others). In these cases, it is suggested that you create your own type definition from the base structure type.

Code Block
bgColor#FFcccc
langc
#include <Windows.h>
/*
  typedef struct tagPOINT {
    long x, y;
  } POINT, *LPPOINT;
*/
 
void func(const LPPOINT pt) {
  /* Can modify pt's contents, against expectations */
}

Compliant Solution (Windows)

Code Block
bgColor#ccccff
langc
#include <Windows.h>
/*
  typedef struct tagPOINT {
    long x, y;
  } POINT, *LPPOINT;
*/
 
typedef const POINT *LPCPOINT;
void func(LPCPOINT pt) {
  /* Cannot modify pt's contents */
}

Noncompliant Code Example

In this noncompliant code example, the declaration of the signal() function is difficult to read and comprehend:

Code Block
bgColor#FFcccc
langc
Code Block
bgColor#FFcccc

void (*signal(int, void (*)(int)))(int);

Compliant Solution

This compliant solution makes use of typedef names type definitions to specify exactly the same type as in the non-compliant coding example.noncompliant code example:

Code Block
bgColor#ccccff
langc

typedef void (*SighandlerType)(int signum);
extern SighandlerType *signal(
  int signum,
  SighandlerType *handler
);

Exceptions

Function pointer types are an exception to this recommendation. 

Risk Assessment

Code readability is important for discovering and eliminating vulnerabilities.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL05-

A

1 (low)

1 (unlikely)

2 (medium)

C

Low

Unlikely

Medium

P2

L3

Automated Detection

...

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
pointer-typedefFully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL05
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.STRUCT.PITPointer type inside typedef
Compass/ROSE




Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5004
LDRA tool suite
Include Page
LDRA_V
LDRA_V

299 S

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V
CERT_C-DCL05-a

Declare a type of parameter as typedef to pointer to const if the pointer is not used to modify the addressed object

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
pointer-typedef
Fully checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.7, "Type definitions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "BRS Leveraging human experience"

Related Guidelines

CERT C Secure Coding StandardDCL12-C. Implement abstract data types using opaque types
SEI CERT C++ Coding StandardVOID DCL05-CPP. Use typedefs to improve code readability


...

Image Added Image Added Image AddedDCL04-A. Understand the caveats of declaring more than one variable per declaration      02. Declarations and Initialization (DCL)       DCL06-A. Use meaningful symbolic constants to represent literal values in program logic