SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 89

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Some operators do not evaluate their operands beyond the type information the operands provide. When using one of these operators, do not pass an operand which that would otherwise yield a side effect , as since the side effect will not be generated.

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type.  In most cases, the operand is not evaluated.  A possible exception is when the type of the operand is a variable length array type (VLA); then the expression is evaluated. When part of the operand of the sizeof operator is a VLA type and when changing the value of the VLA's size expression would not affect the result of the operator, it is unspecified whether or not the size expression is evaluated. (see See unspecified behavior 22.).

The operand passed to_Alignof is never evaluated, despite not being an expression. For instance, if the operand is a VLA type , and the value of the VLA's size expression contains a side effect, that side effect is never evaluated.

...

Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
void func(void) {
  int a = 14;
  int b = sizeof(a);
  ++a;
  printf("%d, %d\n", a, b);
}

...

Noncompliant Code Example (sizeof, VLA)
...
 Code Block
bgColor#FFcccc
langc
#include <stddef.h>
#include <stdio.h>
  
void f(size_t n) {
  /* n must be incremented */ 
  size_t a = sizeof(int[++n]);
 
  /* n need not be incremented */
  size_t b = sizeof(int[++n % 1 + 1]);

  printf("%z%zu, %z%zu, %z%zu\n", a, b, n);
  /* ... */
}

...
Compliant Solution (sizeof, VLA)
...
 Code Block
bgColor#ccccFF
langc
#include <stddef.h>
#include <stdio.h>
  
void f(size_t n) {
  size_t a = sizeof(int[n + 1]);
  ++n;

  size_t b = sizeof(int[n % 1 + 1]);
  ++n;
  printf("%z%zu, %z%zu, %z%zu\n", a, b, n);
  /* ... */
}

...
This noncompliant code example attempts to modify a variable's value as part of the _Generic selection control expression. The programmer may expect that a is incremented, but because _Generic does not evaluate its control expression, the the value of a is not modified.
...
 Code Block
bgColor#ccccFF
langc
#include <stdio.h>
void func(void) {
  int val = 0; 
  /* ... */ 
  ++val;
  size_t align = _Alignof(int[val]);
  printf("%zu, %d\n", align, val);
  /* ... */
}
Exceptions
EXP44-C-EX1: Reading a volatile-qualified value is a side-effecting operation. However, accessing a value through a volatile-qualified type does not guarantee side effects will happen on the read of the value unless the underlying object is also volatile-qualified. Idiomatic reads of a volatile-qualified object are permissible as an operand to a sizeof()_Alignof(), or _Generic expression, as in the following example:
...
If expressions that appear to produce side effects are supplied to an operator that does not evaluate its operands, the results may be different than expected. Depending on how this result is used, it can lead to unintended program behavior.
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
EXP44-C
Low
Unlikely
Low
P3
L3
Automated Detection
Tool
Version
Checker
Description
Astrée
 Include Page
Astrée_V
Astrée_V
alignof-side-effect
generic-selection-side-effect
sizeof
Fully checked
Axivion Bauhaus Suite
 Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V
CertC-EXP44
Clang
 Include Page
Clang_V
Clang_V
-Wunevaluated-expressionCan diagnose some instance of this rule, but not all (such as the _Alignof NCCE).
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
LANG.STRUCT.SE.SIZEOF
LANG.STRUCT.SE.CGEN
Side effects in sizeof
Side Effects in C Generic Selection
Compass/ROSE
 
 



Coverity
 Include Page
Coverity_V
Coverity_V
MISRA C 2004 Rule 12.3
Partially implemented
 
ECLAIR
 Include Page
ECLAIR_V
ECLAIR_V
CC2.EXP06
Fully implemented
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C3307
Klocwork
 Include Page
Klocwork_V
Klocwork_V
MISRA.SIZEOF.SIDE_EFFECT
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
54 S, 653 S
Fully implemented
PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v3307Fully implemented
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-EXP44-a
CERT_C-EXP44-b
Object designated by a volatile lvalue should not be accessed in the operand of the sizeof operator
The function call that causes the side effect shall not be the operand of the sizeof operator
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
9006
Partially supported: reports use of sizeof with an expression that would have side effects
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rule EXP44-C

Checks for situations when side effects of specified expressions are ignored (rule fully covered)
PVS-Studio
 Include Page
PVS-Studio_V
PVS-Studio_V
V568
RuleChecker
 Include Page
RuleChecker_V
RuleChecker_V
alignof-side-effect
generic-selection-side-effect
sizeof
Fully checked
Clang Include PageClang_VClang_V-Wunevaluated-expression 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy
Taxonomy item
Relationship
CERT C
++ Coding Standard
EXP06
EXP52-CPP. 
 Operands to the sizeof operator should not contain 
Do not rely on side effects 
...
in unevaluated operandsPrior to 2018-01-12: CERT: Unspecified Relationship

...
Image Modified Image Modified Image Modified