SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 79

changes.mady.by.user David Keaton

Saved on

compared with

New Version Current

changes.mady.by.user Swasti Shrivastava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A signal handler should not reassert its desire to handle its own signal. This is often done on nonpersistent platforms—that is, platforms that, upon receiving a signal, reset the handler for the signal to SIG_DFL before calling the bound signal handler. Calling signal() under these conditions presents a race condition. (see See SIG01-C. Understand implementation-specific details regarding signal handler persistence.).

A signal handler may call signal() only if it does not need to be asynchronous-safe (that is, if all relevant signals are masked so that the handler cannot be interrupted).

...

Compliant Solution (Windows)

There are two classes of signals in the Microsoft Visual Studio implementation:

  • SIGSEGV, SIGILL, and SIGFPE have per-thread handlers, so each thread may register its own handler for these signals.
  • SIGABRT, SIGBREAK, SIGTERM, and SIGINT have global handlers and access to these handlers is synchronized via a global lock.

There is no safe way to implement persistent signal-handler behavior on Windows platforms, and it should not be attempted. If a design depends on this behavior, and the design cannot be altered, it may be necessary to claim a deviation from this rule after completing an appropriate risk analysis.

The reason for this is that Windows is a nonpersistent platform as discussed above.  Just before calling the current handler function, Windows resets the handler for the next occurrence of the same signal to SIG_DFL. If the handler calls signal() to reinstall itself, there is still a race window. A signal might occur between the start of the handler and the call to signal(), which would invoke the default behavior instead of the desired handlerFor the signals with global handlers, the handler is reset to SIG_DFL and the handler is called under a lock, so there is no race if signal() is called again from the handler to reassert itself as the handler. For the signals with per-thread handlers, the state is local to the thread and resultantly there is no opportunity for a race.

Exceptions

SIG34-C-EX1: For implementations with persistent signal handlers, it is safe for a handler to modify the behavior of its own signal. Behavior modifications include ignoring the signal, resetting to the default behavior, and having the signal handled by a different handler. A handler reasserting its binding is also safe but unnecessary.

...

Two signals in quick succession can trigger a race condition on nonpersistent platforms, causing the signal's default behavior despite a handler's attempt to override it.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SIG34-C

Low

Unlikely

Low

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
signal-handler-signal-callPartially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-SIG34
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADFUNC.SIGNALUse of signal
Compass/ROSE
  


Can detect violations of this rule. However, false positives may occur on systems with persistent handlers
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-sig34-cFully implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5021

C++5022


Klocwork
Include Page
Klocwork_V
Klocwork_V

MISRA.STDLIB.SIGNAL


LDRA tool suite
Include Page
LDRA_V
LDRA_V
97 DFully implemented
Parasoft C/C++test
9.5MISRA2012-RULE-21_5_bUse of signalPRQA QA-C Include Page
Include Page
Parasoft_V
Parasoft_V

CERT_C-SIG34-a

Properly define signal handlers
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2762, 2763

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule SIG34-CChecks for signal call from within signal handler (rule partially covered)
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
signal-handler-signal-callPartially checked
PRQA QA-C_vPRQA QA-C_vWarncall -wc signalPartially implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardSIG01-C. Understand implementation-specific details regarding signal handler persistencePrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013Calling signal from interruptible signal handlers [sigcall]
MITRE CWECWE-479, Signal Handler Use of a Non-reentrant Function

...

Prior to 2018-01-12: CERT: Unspecified Relationship


...

Image Modified Image Modified Image Modified