SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Pamela Curtis

Saved on

compared with

New Version Current

changes.mady.by.user Caden Milne

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed C24 -> C23

The C90 standard allows for C23 Standard requires type specifiers and forbids implicit function declarations. The C90 Standard allows implicit typing of variables and functions. Because implicit declarations lead to less stringent type checking, they can often introduce unexpected and erroneous behavior or even security vulnerabilities.The C99 standard requires type identifiers and forbids implicit function declarations. After issuing the diagnostic, Consequently, some existing legacy code uses implicit typing. Some C compilers still support legacy code by allowing implicit typing, but it should not be used for new code. Such an implementation may choose to assume an implicit declaration and continue translation to support existing programs that used this feature.

...

Noncompliant Code Example (

...

Implicit int)

C90 Section 6.5.2 allows for C no longer allows the absence of type specifiers in a declaration. In these cases, the type is defined to be that of a signed int.Do not rely on implicit int typing. C99 Section . The C Standard, 6.7.3 paragraph 2 [ ISO/IEC 9899:2024 ], states

Except where the type is inferred (6.7.

...

At 10), at least one type specifier shall be given in the declaration specifiers in each declaration, and in the specifier-qualifier list in each struct member declaration and type name.

This non-compliant noncompliant code example omits the type specifier.:

Code Block
bgColor#FFCCCC
langc

extern foo;

Most C90 Some C implementations do not issue a diagnostic for the violation of this C99 constraint. Many C99 These nonconforming C translators will continue to treat such declarations as implying the type int.

Compliant

...

Solution (Implicit int)

This compliant solution explicitly declares foo to be of type int.includes a type specifier:

Code Block
bgColor#ccccff
langc

extern int foo;

...

Noncompliant Code Example (

...

Implicit Function Declaration)

Implicit declaration of functions is not allowed: ; every function must be explicitly declared before it can be called. In C89C90, if a function is called without an explicit prototype, the compiler provides an implicit declaration.

The C90 Standard included the Standard [ISO/IEC 9899:1990] includes this requirement:

If the expression that precedes the parenthesized argument list in a function call consists solely of an identifier, and if no declaration is visible for this identifier, the identifier is implicitly declared exactly as if, in the innermost block containing the function call, the declaration extern int identifier(); appeared.

A C99 implementation will not perform implicit function declarations.

If a function declaration is not visible at the point at which a call to the function is made, some compilers C90-compliant platforms assume an implicit declaration of extern int funcidentifier();.

This declaration implies that the function may take any number and type of arguments and return an int. However, to conform with C99, you to the current C Standard, programmers must explicitly prototype every function before invoking it. An implementation that conforms to the C Standard may or may not perform implicit function declarations, but C does require a conforming implementation to issue a diagnostic if it . This non-compliant example fails to prototype the foo() function before invoking it in main()encounters an undeclared function being used.

In this noncompliant code example, if malloc() is not declared, either explicitly or by including stdlib.h, a compiler that conforms only to C90 may implicitly declare malloc() as int malloc(). If the platform's size of int is 32 bits, but the size of pointers is 64 bits, the resulting pointer would likely be truncated as a result of the implicit declaration of malloc(), returning a 32-bit integer.

Code Block
bgColor#FFCCCC
langc
#include <stddef.h>
/* #include <stdlib.h> is missing */
 
int main(void) {
  int c = foo();
  printf("%d\n", c);
  return 0;
}

int foo(int a) {for (size_t i = 0; i < 100; ++i) {
    /* int malloc() assumed */
    char *ptr = (char *)malloc(0x10000000);
    *ptr = 'a';
  }
  return a0;
}

...

Implementation Details
When compiled with Microsoft Visual Studio 2013 for a 64-bit platform, this noncompliant code example will eventually cause an access violation when dereferencing ptr in the loop.
Compliant Solution (
...
Implicit Function Declaration)
In this This compliant solution , a prototype for foodeclares malloc() appears before the function invocation.  by including the appropriate header file:
 Code Block
bgColor#ccccff
langc
#include <stdlib.h>
int foo(int);

int main(void) {
  for int c(size_t i = foo(0);
  printf("%d\n", c);
  return 0;
}

int foo(int a) {0; i < 100; ++i) {
    char *ptr = (char *)malloc(0x10000000);
    *ptr = 'a';
  }
  return a0;
}

For more information on function declarations see , see DCL07-AC. Include the appropriate type information in function declarators.
...
Noncompliant Code Example (
...
Implicit Return Type)
Similarly, do Do not declare a function with implicit an implicit return type. If it returns For example, if a function returns a meaningful integer value, declare it it as returning int. If it returns no meaningful value, declare it it as returning void.
 Code Block
bgColor#ffcccc
langc
#include <limits.h>
#include <stdio.h>
 
foo(void) {
  return UINT_MAX;
}

int main(void) {
  long long int c = foo();
  printf("%lld\n", c);
  return 0;
}

Because the compiler assumes that foo() returns a value of type int for this noncompliant code example, UINT_MAX is incorrectly converted to -1 −1.
Compliant Solution (
...
Implicit Return Type)
This compliant solution explicitly defines the return type of foo() as unsigned int. As a result, the function correctly returns  UINT_MAX .
 Code Block
bgColor#ccccff
langc
#include <limits.h>
#include <stdio.h>

unsigned int foo(void) {
  return UINT_MAX;
}

int main(void) {
  long long int c = foo();
  printf("%lld\n", c);
  return 0;
}

Risk Assessment
Because implicit declarations lead to less stringent type checking, they can introduce unexpected and erroneous behavior. Occurrences of an omitted type specifier in existing code are rare, and the consequences are generally minor, at worst usually causing perhaps resulting in abnormal program termination.
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
DCL31-C
 low 
Low
 unlikely 
Unlikely
 low 
Low
 P3 
 L3 
Automated Detection
Tool
Version
Checker
Description
Astrée
 Include Page
Astrée_V
Astrée_V
type-specifier
function-return-type
implicit-function-declaration
undeclared-parameter
Fully checked
Axivion Bauhaus Suite
 Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V
CertC-DCL31Fully implemented
Clang
 Include Page
Clang_V
Clang_V
-Wimplicit-int
Compass/ROSE



Coverity
 Include Page
Coverity_V
Coverity_V
MISRA C 2012 Rule 8.1Implemented
Cppcheck Premium
 Include Page
Cppcheck Premium_V
Cppcheck Premium_V
premium-cert-dcl31-cPartially Implemented
Can detect implicit int
ECLAIR
 Include Page
ECLAIR_V
ECLAIR_V
CC2.DCL31
Fully implemented
GCC
 Include Page
GCC_V
GCC_V

Can detect violations of this rule when the -Wimplicit and -Wreturn-type flags are used
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C0434, C2050, C2051, C3335Fully implemented
Klocwork
 Include Page
Klocwork_V
Klocwork_V
CWARN.IMPLICITINT
MISRA.DECL.NO_TYPE
MISRA.FUNC.NOPROT.CALL
RETVOID.IMPLICIT
Fully implemented
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
24 D, 41 D, 20 S, 326 S, 496 S
Fully implemented
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-DCL31-a
All functions shall be declared before use
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
601, 718, 746, 808
Fully supported
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rule DCL31-C

Checks for:
  • Types not explicitly specified
  • Implicit function declaration
Rule fully covered.
PVS-Studio
 Include Page
PVS-Studio_V
PVS-Studio_V
V1031
SonarQube C/C++ Plugin
 Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
 S819, S820   Partially implemented; implicit return type not covered.
RuleChecker
 Include Page
RuleChecker_V
RuleChecker_V
type-specifier
function-return-type
implicit-function-declaration
undeclared-parameter
Fully checked
TrustInSoft Analyzer
 Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V
type specifier missing
Partially verified (exhaustively detects undefined behavior).
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
...
Related Guidelines
Key here (explains table format and definitions)
Taxonomy
Taxonomy item
Relationship
CERT C Secure Coding StandardDCL07-C. Include the appropriate type information in function declaratorsPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Subprogram Signature Mismatch [OTR]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012Rule 8.1 (required)Prior to 2018-01-12: CERT: Unspecified Relationship
Bibliography
...
[ISO/IEC 
...
 9899:
...
1990]
[ISO/IEC 
...
 9899
...
:2024]Subclause 6.7.
...
3, 
...
 "Type Specifiers"
[Jones 2008]

...
 Image Added   Image Added   Image Added  specifiers", Section  6.5.2.2, "Function calls"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "OTR Subprogram Signature Mismatch"
\[[Jones 08|AA. C References#Jones 08]\]
\[[MISRA 04|AA. C References#MISRA 04]\]Image Removed      02. Declarations and Initialization (DCL)       DCL32-C. Guarantee that mutually visible identifiers are unique