Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities.  (See see MSC11-C. Incorporate diagnostic tests using assertions). ) The runtime assert() macro has some limitations, however, in that it incurs a runtime overhead and because it calls abort(). Consequently, the runtime assert() macro is useful only useful for identifying incorrect assumptions and not for runtime error checking. As a result, runtime assertions are generally unsuitable for server programs or embedded systems.

...

Code Block
static_assert(constant-expression, string-literal);

Section Subclause 6.7.10 of the C Standard [ISO/IEC 9899:2011] states:

The constant expression shall be an integer constant expression. If the value of the constant expression compares unequal to 0, the declaration has no effect. Otherwise, the constraint is violated and the implementation shall produce a diagnostic message that includes the text of the string literal, except that characters not in the basic source character set are not required to appear in the message.

This It means that if constant-expression is true, nothing will happen. However, if constant-expression is false, an error message containing string-literal will be output at compile time.

...

This noncompliant code uses the assert() macro to assert a property concerning a memory-mapped structure that is essential for the code to behave correctly.:

Code Block
bgColor#FFCCCC
langc
#include <assert.h>
 
struct timer {
  uint8_tunsigned char MODE;
  unsigned uint32_tint DATA;
  unsigned uint32_tint COUNT;
};
 
int func(void) {
  assert(offsetofsizeof(struct timer, DATA) == 4 sizeof(unsigned char) + sizeof(unsigned int) + sizeof(unsigned int));
}

Although the use of the runtime assertion is better than nothing, it needs to be placed in a function and executed. This means that it is usually far away from the definition of the actual structure to which it refers. The diagnostic occurs only at runtime and only if the code path containing the assertion is executed.

...

For assertions involving only constant expressions, some implementations allow the use of a preprocessor conditional statement may be used, as in this examplecompliant solution:

Code Block
bgColor#ccccff
langc
struct timer {
  unsigned uint8_tchar MODE;
  unsigned uint32_tint DATA;
  unsigned uint32_tint COUNT;
};

#if (offsetofsizeof(struct timer, DATA) != 4 (sizeof(unsigned char) + sizeof(unsigned int) + sizeof(unsigned int)))
  #error "DATAStructure must benot athave offsetany 4padding"
#endif

Using #error directives allows for clear diagnostic messages. Because this approach evaluates assertions at compile time, there is no runtime penalty.Unfortunately, this solution is not portable. The C Standard does not require that implementations support sizeof, offsetof, or enumeration constants in #if conditions. According to section 6.10.1, "Conditional inclusion," all identifiers in the expression that controls conditional inclusion either are or are not macro names. Some compilers allow these constructs in conditionals as an extension, but most do not.

Compliant Solution

This portable compliant solution uses static_assert.:

Code Block
bgColor#ccccff
langc
#include <assert.h>
 
struct timer {
  unsigned uint8_tchar MODE;
  unsigned uint32_tint DATA;
  unsigned uint32_tint COUNT;
};

static_assert(offsetofsizeof(struct timer, DATA) == 4, "DATAsizeof(unsigned char) + sizeof(unsigned int) + sizeof(unsigned int),
              "Structure must benot athave offsetany 4padding");

Static assertions allow incorrect assumptions to be diagnosed at compile time instead of resulting in a silent malfunction or runtime error. Because the assertion is performed at compile time, no runtime cost in space or time is incurred. An assertion can be used at file or block scope, and failure results in a meaningful and informative diagnostic error message.

Other uses of static assertion are shown in STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code and FIO35FIO34-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char)Distinguish between characters read from a file and EOF or WEOF.

Risk Assessment

Static assertion is a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities at compile time. The absence of static assertions, however, does not mean that code is incorrect.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL03-C

low

Low

unlikely

Unlikely

high

High

P1

L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL03
Clang
Include Page
Clang_V
Clang_V
misc-static-assertChecked by clang-tidy
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
(customization)Users can implement a custom check that reports uses of the assert() macro
Compass/ROSE

 

 



Could detect violations of this rule merely by looking for calls to assert(), and if it can evaluate the assertion (due to all values being known at compile time), then the code should use static-assert instead

. This

; this assumes ROSE can recognize macro invocation

.

LDRA tool suite

Include PageLDRA_VLDRA_V

44 S

Fully implemented.

ECLAIR
Include Page
ECLAIR_V
ECLAIR_V
macrcall
CC2.DCL03Fully implemented
.
PRQA QA·C
LDRA tool suite
Include Page
PRQA
LDRA_V
PRQA
LDRA_V
 

44 S

Fully implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

 Bibliography

...

]Subclause 6.

...

Sources

...

7.10, "Static Assertions"
[Jones 2010]
[Klarer 2004]
[Saks 2005]
[Saks 2008]


...

Image Modified Image Modified Image Modified