You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

The presence of unused values may indicate significant logic errors. To prevent such errors, unused values should be identified and removed from code.

Non-Compliant Code Example

In this example, p2 is assigned the value returned by bar(), but that value is never used. Note this example assumes that foo() and bar() return valid pointers (see [DCL30-C. Declare objects with appropriate storage durations]).

int *p1, *p2;
p1 = foo();
p2 = bar();

if (baz()) {
  return p1;
}
else {
  p2 = p1;
}
return p2;

Compliant Solution

This example can be corrected many different ways depending on the intent of the programmer. In this compliant solution, p2 is initialized to NULL rather than the result of bar(). The call to bar() can be removed if bar() does not produce any side-effects.

int *p1 = foo();
int *p2 = NULL;
bar(); /* Removable if bar() does not produce any side-effects */
if (baz()) {
  return p1;
}
else {
  p2 = p1;
}
return p2;

Risk Assessment

Unused values may indicate significant logic errors, possibly resulting in a denial of service condition.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC13-A

1 (low)

1 (unlikely)

2 (medium)

P2

L3

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

The Coverity Prevent UNUSED_VALUE checker finds variables that are assigned pointer values returned from a function call but never used.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[Coverity 07|AA. C References#Coverity 07]
[[ISO/IEC PDTR 24772]] "BRS Leveraging human experience," "KOA Likely incorrect expressions," and "XYQ Dead and Deactivated Code"


MSC12-A. Detect and remove code that has no effect      14. Miscellaneous (MSC)       MSC14-A. Do not introduce unnecessary platform dependencies

  • No labels