...
Subclause 4 explains how the standard identifies undefined behavior . (See see also undefined behavior 1 of Annex J).)
If a "shall" or "shall not" requirement that appears outside of a constraint is violated, the behavior is undefined. Undefined behavior is otherwise indicated in this International Standard by the words "undefined behavior" or by the omission of any explicit definition of behavior. There is no difference in emphasis among these three; they all describe "behavior that is undefined".
...
An example of undefined behavior in C is the behavior on signed integer overflow . (See see also INT32-C. Ensure that operations on signed integers do not result in overflow). ) This noncompliant code example depends on this behavior to catch the overflow:
...
Although it is rare that the entire application can be strictly conforming, the goal should be that almost all the code is allowed for a strictly conforming program (which among other things means that it avoids undefined behavior), with the implementation-dependent parts confined to modules that the programmer knows are needed to adapt to the platform when it changes.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC15-C | High | Likely | Medium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Astrée |
| Supported: Astrée reports undefined behavior. | |||||||
| Helix QAC |
|
|
|
48 D, 63 D, 84 D, 113 D, 5 Q, 64 S, 65 S, 100 S, 109 S, 156 S, 296 S, 324 S, 335 S, 336 S, 339 S, 412 S, 427 S, 465 S, 482 S, 497 S, 545 S, 587 S, 608 S, 642 S, 62 X, 63 X
0160,0161,0162,0163,0164,0165,0166,0167,0168,0169,0170,0171,
0172,0173,0174,0175,0176,0177,0178,0179, 0184,0185,0186,0190,
0191,0192,0193,0194,0195,0196,0197,0198,0199,0200,0201,0203,0204,
0206, 0207,0208,0235,0275,0304,0309,0337,0400,0401,0402,0403,0543,
0544,0545,0602,0623,0625,0626,0630,0632,0636,0654,0658,0661,0667,
0668,0672,0706,0745,0777,0779,0809,0813,0814,0836,0837,0848,0853,
0854,0864,0865,0867,0872,0874,0885,0887,0888,0914,0915,0942,3113,3114,
3239,3319,3438,0301,0302,0307,0475,0676,0678,0680,3311,3312,3437,1509,1510
C0160, C0161, C0162, C0163, C0164, C0165, C0166, C0167, C0168, C0169, C0170, C0171, C0172, C0173, C0174, C0175, C0176, C0177, C0178, C0179, C0184, C0185, C0186, C0190, C0191, C0192, C0193, C0194, C0195, C0196, C0197, C0198, C0199, C0200, C0201, C0203, C0204, C0206, C0207, C0208, C0235, C0275, C0301, C0302, C0304, C0307, C0309, C0323, C0327, C0337, C0400, C0401, C0402, C0403, C0475, C0543, C0544, C0545, C0602, C0603, C0623, C0625, C0626, C0630, C0632, C0636, C0654, C0658, C0661, C0667, C0668, C0672, C0676, C0678, C0680, C0706, C0745, C0777, C0779, C0813, C0814, C0821, C0836, C0837, C0848, C0853, C0854, C0864, C0865, C0867, C0872, C0874, C0885, C0887, C0888, C0914, C0915, C0942, C1509, C1510, C3113, C3114, C3239, C3311, C3312, C3319, C3437, C3438 | |||||||||
| LDRA tool suite |
| 48 D, 63 D, 84 D, 113 D, 5 Q, 64 S, 65 S, 100 S, 109 S, 156 S, 296 S, 324 S, 335 S, 336 S, 339 S, 412 S, 427 S, 465 S, 482 S, 497 S, 545 S, 587 S, 608 S, 642 S, 62 X, 63 X | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-MSC15-a | Evaluation of constant unsigned integer expressions should not lead to wrap-around | ||||||
| Polyspace Bug Finder |
| Checks for undefined behavior (rec. partially covered) | |||||||
| PVS-Studio |
| V772 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID MSC15-CPP. Do not depend on undefined behavior |
| ISO/IEC TR 24772 | Unspecified Behaviour [BQF] Undefined Behaviour [EWF] Implementation-Defined Behaviour [FAB] |
Bibliography
| [ISO/IEC 9899:2011] | Subclause 3.4.3, "Undefined Behavior" Subclause 4, "Conformance" Subclause J.2, "Undefined Behavior" |
| [Seacord 2013] | Chapter 5, "Integer Security" |
...
...