SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 84

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: corrected reference

...

Anchor
analyzer
analyzer

analyzer [ISO/IEC 9899TS 17961:20112013]
Mechanism that diagnoses coding flaws in software programs.

...

Anchor
async-signal-safe
async-signal-safe

async-signal-safe function [ISO/IEC 9945:2008]
A function that may be invoked, without restriction, from signal-catching functions. No function (defined in ISO/IEC 9945) is async-signal-safe unless explicitly described as such. See asynchronous-safe.

Anchor
asynchronous-safe
asynchronous-safe
Anchor
asynchronous-safe function
asynchronous-safe function
Anchor
async-signal-safe
async-signal-safe

asynchronous-safe function [GNU Pth]
A function is asynchronous-safe, or asynchronous-signal safe, if it can be called safely and without side effects from within a signal handler context. That is, it must be able to be interrupted at any point to run linearly out of sequence without causing an inconsistent state. It must also function properly when global data might itself be in an inconsistent state. Some asynchronous-safe operations are listed here:

  • Call the signal() function to reinstall a signal handler.
  • Unconditionally modify a volatile sig_atomic_t variable (as modification to this type is atomic).
  • Call the _Exit() function to immediately terminate program execution.
  • Invoke an asynchronous-safe function, as specified by the implementation.

Few functions are portably asynchronous-safe.

...

Anchor
critical sections
critical sections

critical sections
Shared data that Code that accesses shared data and would otherwise be protected from data races.

...

NOTE
Tracking can be performed intraprocedurally, with various assumptions made about what happens at function call boundaries, or interprocedurally, where values are tracked flowing into function calls (directly or indirectly) as arguments and flowing back out either as return values or indirectly through arguments.
Data flow analysis may or may not track values flowing into or out of the heap or take into account global variables. When this specification refers to values flowing, the key point is contrast with variables or expressions , because a given variable or expression may hold different values along different paths , and a given value may be held by multiple variables or expressions along a path.

Anchor
data race
data race

data race [ISO/IEC 9899:2011]
The execution of a program contains a data race if it contains two conflicting actions in different threads, at least one of which is not atomic, and neither happens before the other. Any such data race results in undefined behavior.

...

Anchor
diagnostic message
diagnostic message

diagnostic message [ISO/IEC 9899:2011]
A diagnostic message is a message A message belonging to an implementation-defined subset of the implementation’s message output. A diagnostic message may indicate a constraint violation or a valid but questionable language construct. Messages typically include the file name and line number pointing to the offending code construct. In addition, implementations also often indicate the severity of the problem. Although the C Standard does not specify any such requirement, the most severe problems often cause implementations to fail to fully translate a translation unit. Diagnostics output in such cases are termed errors. Other problems may cause implementations simply to issue a warning message and continue translating the rest of the program. See error message and warning message.

...

Anchor
fatal diagnostic
fatal diagnostic

fatal diagnostic
A diagnostic message which that causes an implementation not to perform the translation.

...

Anchor
function-like macro
function-like macro

function-like macro [ISO/IEC 9899:2011]
A #define preprocessing directive that defines an identifier immediately followed by zero or more parameters, the ellipsis (...), or a combination of the two, enclosed in parentheses, similar syntactically to a function call. Subsequent instances of the macro name followed by a parenthesized list of arguments in a translation unit are replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive. See object-like macro and unsafe function-like macro.

Anchor
hosted environment
hosted environment

hosted environment [ISO/IEC 9899:2011]
An environment that is not freestanding. Program startup occurs at main(), complex types are implemented, and all C standard library facilities are available.

...

Anchor
in-band error indicator
in-band error indicator

in-band error indicator[ISO/IEC 9899TS 17961:20112013]
A library function return value on error that can never be returned by a successful call to that library function.

...

Anchor
mitigation
mitigation

mitigation [Seacord 2005a]
Methods, techniques, processes, tools, or runtime libraries that can prevent or limit exploits against vulnerabilities.

Anchor
mutilated valuemutilated value
mutilated value
 Result of an operation performed on an untainted value that yields either an undefined result (such as the result of signed integer overflow), the result of right-shifting a negative number, implicit conversion to an integral type where the value cannot be represented in the destination type, or unsigned integer wrapping.

EXAMPLE
int j = INT_MAX + 1; // j is mutilated
char c = 1234; // c is mutilated if char is eight bits
unsigned int u = 0U - 1; // u is mutilated

NOTE
A mutilated value can be just as dangerous as a tainted value because it can differ either in sign or magnitude from what the programmer expects.

nonpersistent signal handler
nonpersistent signal handler

nonpersistent signal handler
Signal handler running on an implementation that requires Anchornonpersistent signal handlernonpersistent signal handlernonpersistent signal handler
Signal handler running on an implementation that requires the program to again register the signal handler after occurrences of the signal to catch subsequent occurrences of that signal.

Anchor
normal termination
normal termination

normal program termination [IEEE Std 1003.1-2013]
Normal termination occurs by a return from main(), when requested with the exit(), _exit(), or _Exit() functions, or when the last thread in the process terminates by returning from its start function , by calling the pthread_exit() function, or through cancellation. See abnormal termination.

...

Anchor
reentrant
reentrant

reentrant [ISO/IEC/IEEE 24765:2010 ]
Pertaining to a software module that can be entered as part of one process while also in execution as part of another process and still achieve the desired results.

...

NOTE
The IEC 60559 standard for binary floating-point arithmetic requires certain user-accessible status flags and control modes. Floating-point operations implicitly set the status flags; modes affect result values of floating-point operations. Implementations that support such floatinga floating-point state are required to regard changes to it as side effects. These are detailed in Annex F of the C Standard.

Anchor
static analysis
static analysisstrictly conformingstrictly conforming

static analysis [ISO/IEC TS 17961:2013]
Any process for assessing code without executing it.

...

Anchor
string
string

string [ISO/IEC 9899:2011]
A string is a contiguous sequence of characters terminated by and including the first null character.

...

    • parameters to the main() function,
    • the returned values from localeconv(), fgetc(), getc, getchar(), fgetwc(), getwc(), and getwchar(), and
    • the strings produced by getenv(), fscanf(), vfscanf(), vscanf(), fgets(), fread(), fwscanf(), vfwscanf(), vwscanf(), wscanf(), and fgetws().

Anchor
tainted value
tainted value

tainted value [ISO/IEC TS 17961:2013]
Value derived from a tainted source that has not been sanitized.

...

NOTE
For the purposes of this definition, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type. (see See C Standard, 6.5.8, paragraph 4.).
For the purposes of this definition, an object can be considered to be an array of a certain number of bytes; that number is the size of the object , as produced by the sizeof operator. (see See C Standard, 6.3.2.3, paragraph 7.).

Anchor
validation
validation

validation [IEC 61508-4]
Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled.

...