Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated references from C11->C23

The C standardStandard, section subclause 3.45.3 [ISO/IEC 9899:20112024], defines undefined behavior as

behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for

which this International Standard

which this document imposes no requirements

.

Section Subclause 4 explains how the standard identifies undefined behavior . (See see also undefined behavior 1 of Annex J).)

If a "shall" or "shall not" requirement that appears outside of a

constraint is violated

constraint or runtime-constraint is violated, the behavior is undefined. Undefined behavior is otherwise indicated in this

International Standard by the

document by the words "undefined behavior" or by the omission of any explicit definition of behavior. There is no difference in emphasis among these three; they all describe "behavior that is undefined".

Annex J, section subclause J.2, "Undefined behavior," enumerates the circumstances under which the behavior of a program is undefined. This list is duplicated on the CC. Undefined Behavior page.

Behavior can be classified as undefined by the C standards committee for the following reasons:

  • to To give the implementor license not to catch certain program errors that are difficult to diagnose
  • to To avoid defining obscure corner cases which that would favor one implementation strategy over another
  • to To identify areas of possible conforming language extension: the implementor may augment the language by providing a definition of the officially undefined behavior

Conforming implementations can deal with undefined behavior in a variety of fashions, such as ignoring the situation completely, with unpredictable results; translating or executing the program in a documented manner characteristic of the environment (with or without the issuance of a diagnostic message); or terminating a translation or execution (with the issuance of a diagnostic message). Because compilers are not obligated to generate code for undefined behavior, these behaviors are candidates for optimization. By assuming that undefined behaviors will not occur, compilers can generate code with better performance characteristics.

Increasingly, compiler writers are taking advantage of undefined behaviors in the C programming languages to improve optimizations. Frequently, these optimizations are interfering These optimizations frequently interfere with the ability of developers to perform cause-effect analysis on their source code, that code—that is, analyzing to analyze the dependence of downstream results on prior results.   Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities.

All of this puts the onus on the programmer to develop code that is free from undefined behaviors, with or without the help of the compiler.

Noncompliant Code Example

An example of undefined behavior in C is the behavior on signed integer overflow . (See see also INT32-C. Ensure that operations on signed integers do not result in overflow). ) This noncompliant code example depends on this behavior to catch the overflow.:

Code Block
bgColor#FFCCCC
langc
#include <assert.h>
#include <limits.h>
#include <stdio.h>
 
int foo(int a) {
  assert(a + 100 > a);
  printf("%d %d\n", a + 100, a);
  return a;
}

int main(void) {
  foo(100);
  foo(INT_MAX);
  return 0;
}

This code tests checks for signed integer overflow by testing to see if whether a + 100 > a. This test cannot evaluate to false unless an integer overflow occurs. However, because a conforming implementation is not required to generate code for undefined behavior, and signed integer overflow is undefined behavior, this code may be compiled out. For example, GCC version 4.1.1 optimizes out the assertion for all optimization levels, and version and GCC 4.2.3 optimizes out the assertion for programs compiled with -O2-level optimization and higher.

...

This compliant solution does not depend on undefined behavior.:

Code Block
bgColor#ccccff
langc
#include <assert.h>
#include <limits.h>
#include <stdio.h>

int foo(int a) {
  assert(a < (INT_MAX - 100));
  printf("%d %d\n", a + 100, a);
  return a;
}

int main(void) {
  foo(100);
  foo(INT_MAX);
  return 0;
}

Risk Assessment

Although it is rare that the entire application can be strictly conforming, the goal should be that almost all the code is allowed for a strictly conforming program (which among other things means that it avoids undefined behavior), with the implementation-dependent parts confined to modules that the programmer knows are needed to adapt to the platform when it changes.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC15-C

high

High

likely

Likely

medium

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

PRQA QA-C Include PagePRQA_VPRQA_V 0160Partially implemented

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée reports undefined behavior.
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0160, C0161, C0162, C0163, C0164, C0165, C0166, C0167, C0168, C0169, C0170, C0171, C0172, C0173, C0174, C0175, C0176, C0177, C0178, C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0203, C0204, C0206, C0207, C0208, C0235, C0275, C0301, C0302, C0304, C0307, C0309, C0323, C0327, C0337, C0400, C0401, C0402, C0403, C0475, C0543, C0544, C0545, C0602, C0603, C0623, C0625, C0626, C0630, C0632, C0636, C0654, C0658, C0661, C0667, C0668, C0672, C0676, C0678, C0680, C0706, C0745, C0777, C0779, C0813, C0814, C0821, C0836, C0837, C0848, C0853, C0854, C0864, C0865, C0867, C0872, C0874, C0885, C0887, C0888, C0914, C0915, C0942, C1509, C1510, C3113, C3114, C3239, C3311, C3312, C3319, C3437, C3438


LDRA tool suite
Include Page
LDRA_V
LDRA_V

48 D, 63 D, 84 D, 113 D, 5 Q, 64 S, 65 S, 100 S, 109 S, 156 S, 296 S, 324 S, 335 S, 336 S, 339 S, 412 S, 427 S, 465 S, 482 S, 497 S, 545 S, 587 S, 608 S, 642 S, 62 X, 63 X

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V
CERT_C-MSC15-a

Evaluation of constant unsigned integer expressions should not lead to wrap-around

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MSC15-C


Checks for undefined behavior (rec. partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V772

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...

...

TR 24772Unspecified Behaviour [BQF]
Undefined Behaviour [EWF]
Implementation-Defined Behaviour [FAB]

Bibliography

[ISO/IEC 9899:2024]Subclause 3.5.3, "Undefined

...

Behavior"

...


Subclause 4, "Conformance

...

"

...


Subclause J.2, "Undefined

...

ISO/IEC TR 24772 "BQF Unspecified behaviour," "EWF Undefined behaviour," and "FAB Implementation-defined behaviour"

Sources

...

Behavior"
[Seacord 2013]Chapter 5, "

...

Integer Security"


...

Image Modified Image Modified Image Modified