Parenthesize all variable parameter names in macro definitions. See also \[[PRE00-AC. Prefer inline or static functions to macros]\] and \[[PRE02-A. Macro expansion should always be parenthesized for function-like macros]\]. Wiki Markup
...
function-like macros and PRE02-C. Macro replacement lists should be parenthesized.
Noncompliant Code Example
This CUBE()
macro definition is non-compliant noncompliant because it fails to parenthesize the variable parameter names.:
Code Block | ||||
---|---|---|---|---|
| ||||
#define CUBE(I) (I * I * I) int a = 81 / CUBE(2 + 1); |
As a result, the invocation
Code Block | ||||
---|---|---|---|---|
| ||||
int a = 81 / CUBE(2 + 1);
|
expands to
Code Block | ||||
---|---|---|---|---|
| ||||
int a = 81 / (2 + 1 * 2 + 1 * 2 + 1); /* evaluatesEvaluates to 11 */ |
Which which is clearly not the desired result.
Compliant Solution
Parenthesizing all variable parameter names in the CUBE()
macro allows it to expand correctly (when invoked in this manner).:
Code Block | ||||
---|---|---|---|---|
| ||||
#define CUBE(I) ( (I) * (I) * (I) )
int a = 81 / CUBE(2 + 1);
|
Non-Compliant Code Example (EOF)
In this example, EOF
is defined without parenthesizing the -1
. Additionally, the programmer mistakenly omitted the comparison operator from the conditional statement. After macro expansion, the conditional will be incorrectly evaluated as a binary operation: c-1
.
Exceptions
PRE01-C-EX1: When the parameter names are surrounded by commas in the replacement text, regardless of how complicated the actual arguments are, there is no need for parenthesizing the macro parameters. Because commas have lower precedence than any other operator, there is no chance of the actual arguments being parsed in a surprising way. Comma separators, which separate arguments in a function call, also have lower precedence than other operators, although they are technically different from comma operators.
Code Block | ||
---|---|---|
#define FOO(a, b, c) bar(a, b, c)
| ||
Code Block | ||
| ||
#define EOF -1 /* ... */ if (c EOF) { /* ... */ }FOO(arg1, arg2, arg3); |
unmigratedPRE01-wiki-markup
Note that this example also violates \[[MSC02-A. Avoid errors of omission]\].
Compliant Solution (EOF)
Parenthesizing the -1
in the declaration of EOF
does not correct the omission of the comparison operator, but it does ensure the -1
is evaluated as a unary operation.
Code Block | ||
---|---|---|
| ||
#define EOF (-1)
/* ... */
if (c EOF) {
/* ... */
}
|
The code above will fail compilation as after macro expansion the conditional will evaluate to c(-1)
. To fully correct this example the error of omission must also be addressed.
...
bgColor | #ccccff |
---|
C-EX2: Macro parameters cannot be individually parenthesized when concatenating tokens using the ##
operator, converting macro parameters to strings using the #
operator, or concatenating adjacent string literals. The following JOIN()
macro concatenates both arguments to form a new token. The SHOW()
macro converts the single argument into a string literal, which is then passed as a parameter to printf()
and as a string and as a parameter to the %d
specifier. For example, if SHOW()
is invoked as SHOW(66);
, the macro would be expanded to printf("66" " = %d\n", 66);
.
Code Block |
---|
#define JOIN(a, b) (a ## b)
#define SHOW(a) printf(#a " = %d\n", a)
|
See PRE05-C. Understand macro replacement when concatenating tokens or performing stringification for more information on using the ##
operator to concatenate tokens.
...
Risk Assessment
Failing to parenthesize around the variable parameter names within in a macro can result in unintended program behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
PRE01-C | Medium | Probable | Low | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| macro-parameter-parentheses | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-PRE01 | Fully implemented | ||||||
ECLAIR |
| CC2.PRE01 | Fully implemented | ||||||
Helix QAC |
| C3410 | |||||||
Klocwork |
| MISRA.DEFINE.NOPARS | |||||||
LDRA tool suite |
| 78 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_C-PRE01-a | In the definition of a function-like macro each instance of a parameter shall be enclosed in parentheses unless it is used as the operand of # or ## |
PRE01-A
1 (low)
1 (unlikely)
3 (low)
P3
PC-lint Plus |
| 9022 | Fully supported | ||||||
Polyspace Bug Finder |
| CERT C: Rec. PRE01-C | Checks for expanded macro parameters not enclosed in parentheses (rule partially supported) | ||||||
PVS-Studio |
| V733 | |||||||
RuleChecker |
| macro-parameter-parentheses | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Related Guidelines
SEI CERT C++ Coding Standard | VOID PRE01-CPP. Use parentheses within macros around parameter names |
ISO/IEC TR 24772:2013 | Operator Precedence/Order of Evaluation [JCW] Pre-processor Directives [NMP] |
MISRA C:2012 | Rule 20.7 (required) |
Bibliography
[Plum 1985] | |
[Summit 2005] | Question 10.1 |
...
\[[Summit 05|AA. C References#Summit 05]\] Question 10.1
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.10, "Preprocessing directives," and Section 5.1.1, "Translation environment" Wiki Markup