SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 64 Next »

Avoid the use of magic numbers in code when possible. Magic numbers are constant values that represent either an arbitrary value (such as a determined appropriate buffer size) or a malleable concept (such as the age a person is considered an adult, which could change between geopolitical boundaries). Rather, use appropriately named symbolic constants to clarify the intent of the code. In addition, if a specific value needs to be changed, reassigning a symbolic constant once is more efficient and less error prone than replacing every instance of the value.

The C programming language has several mechanisms for defining symbolic constants: const-qualified objects, enumeration constants, and macro definitions.

Objects that are const-qualified have scope and can be type-checked by the compiler. Because these are named objects (unlike macro definitions), (certain) debugging tools can show the name of the object. The objects also consumes memory (though this is not too important). Unfortunately, const-qualified objects cannot be used where compile-time integer constants are required, namely to define the

  • size of a bit-field member of a structure
  • size of an array (except in the case of variable length arrays)
  • value of an enumeration constant
  • value of a case constant

An enumeration constant is a member of an enumeration. Enumeration constant can be used to represent an integer constant expression that has a value representable as an int. Unlike const-qualified objects, enumeration constants do not require that storage is allocated for the value so it is not possible to take the address of an enumeration constant.

A preprocessing directive of the form:

# define identifier replacement-list

defines an object-like macro that causes each subsequent instance of the macro name to be replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive [[ISO/IEC 9899-1999]].

#define:

  • operates at compile time
  • consumes no memory (though this is not too important)
  • can use in compile-time constant expression
  • uses different syntax; can make mistake with ;
  • can't create pointers to
  • no type checking

const:

  • operates at run time
  • consumes memory (though this is not too important)
  • can't use in compile-time constant expression
  • uses consistent syntax
  • can create pointers to
  • does type checking

If any of these are required, then an integer constant (which would be an rvalue) must be used.

Method

Evaluated at

Consumes Memory

Viewable by Debuggers

Type Checking

Compile-time constant expression

Enumerations

compile time

no

yes

yes

no

const qualified

run time

yes

yes

yes

no

Macros

preprocessor

no

no

no

yes

Non-Compliant Code Example

The meaning of the numeric literal 18 is not clear in this example.

/* ... */
if (age >= 18) {
   /* Take action */
}
else {
  /* Take a different action */
}
/* ... */

Compliant Solution

The compliant solution replaces 18 with the symbolic constant ADULT_AGE to clarify the meaning of the code.

When declaring immutable symbolic values, such as ADULT_AGE, it is best to declare them as a constant in accordance with DCL00-A. Const-qualify immutable objects.

enum { ADULT_AGE=18 };
/* ... */
if (age >= ADULT_AGE) {
   /* Take action */
}
else {
  /* Take a different action */
}
/* ... */

Non-Compliant Code Example

Magic numbers are frequently used when referring to array dimensions, as shown in this non-compliant coding example.

char buffer[256];
/* ... */
fgets(buffer, 256, stdin);

This use of magic numbers can easily result in buffer overflows, if for example, the buffer size is reduced but the magic number used in the call to fgets() is not.

Compliant Solution (enum)

In this compliant solution the magic number is replaced with an enumeration constant (see DCL00-A. Const-qualify immutable objects).

enum { BUFFER_SIZE=256 };

char buffer[BUFFER_SIZE];
/* ... */
fgets(buffer, BUFFER_SIZE, stdin);

Compliant Solution (sizeof)

A sizeof expression can work just as well as an enumeration constant (see EXP09-A. Use sizeof to determine the size of a type or variable).

char buffer[256];
/* ... */
fgets(buffer, sizeof(buffer), stdin);

Using the sizeof expression reduces the total number of names declared in the program, which is almost always a good thing to do.

Exceptions

DCL06-EX1: While replacing numeric constants with a symbolic constant is often a good practice, it can be taken too far. Exceptions can be made for constants that are themselves the abstraction you want to represent, as in this compliant solution.

x = (-b + sqrt(b*b - 4*a*c)) / (2*a);

Replacing numeric constants with symbolic constants in this example does nothing to improve the readability of the code, and may in fact make the code more difficult to read:

enum { TWO = 2 };     /* a scalar */
enum { FOUR = 4 };    /* a scalar */
enum { SQUARE = 2 };  /* an exponent */
x = (-b + sqrt(pow(b, SQUARE) - FOUR*a*c))/ (TWO * a);

When implementing recommendations, it is always necessary to use sound judgment.

(Note that this example does not prevent overflow or check for invalid operations (taking the sqrt() of a negative number.) See INT32-C. Ensure that operations on signed integers do not result in overflow and FLP32-C. Prevent or detect domain and range errors in math functions.

Risk Assessment

Using numeric literals makes code more difficult to read and understand. Buffer overruns are frequently a consequence of a magic number being changed in one place (like an array declaration) but not elsewhere (like a loop through an array).

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

DCL06-A

1 (low)

1 (unlikely)

2 (medium)

P2

L3

Automated Detection

The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Henricson 92]] Chapter 10, "Constants"
[[ISO/IEC 9899-1999]] Section 6.7, "Declarations"
[[ISO/IEC PDTR 24772]] "BRS Leveraging human experience"
[[Saks 01]] Dan Saks. Symbolic Constants. Embedded Systems Design. November, 2001.
[[Saks 02]] Dan Saks. Symbolic Constant Expressions. Embedded Systems Design. February, 2002.

DCL05-A. Use typedefs to improve code readability      02. Declarations and Initialization (DCL)       DCL07-A. Include the appropriate type information in function declarators

  • No labels