Many functions return useful values whether or not the function has side effects. In most cases, this value is used to signify whether the function successfully completed its task or if some error occurred. (See ERR02-C. Avoid in-band error indicators.) Other times, the value is the result of some computation and is an integral part of the function's API.
Subclause 6.8.3 of the C Standard [ISO/IEC 9899:2011] states:
The expression in an expression statement is evaluated as a void expression for its side effects.
All expression statements, such as function calls with an ignored value, are implicitly cast to void. Because a return value often contains important information about possible errors, it should always be checked; otherwise, the cast should be made explicit to signify programmer intent. If a function returns no meaningful value, it should be declared with return type void.
This recommendation encompasses MEM32-C. Detect and handle memory allocation errors, FIO04-C. Detect and handle input and output errors, and FIO34-C. Use int to capture the return value of character IO functions.
Noncompliant Code Example
This noncompliant code example calls puts() and fails to check whether a write error occurs:
puts("foo");
However, puts() can fail and return EOF.
Compliant Solution
This compliant solution checks to make sure no output error occurred. (See FIO04-C. Detect and handle input and output errors.)
if (puts("foo") == EOF) {
/* Handle error */
}
Exceptions
EXP12-EX1: If the return value is inconsequential or if any errors can be safely ignored, such as for functions called because of their side effects, the function should be explicitly cast to void to signify programmer intent. For an example of this exception, see "Compliant Solution (Remove Existing Destination File)" under the section "Portable Behavior" in FIO10-C. Take care when using the rename() function.
EXP12-EX2: If a function cannot fail or if the return value cannot signify an error condition, the return value may be ignored. Such functions should be added to a whitelist when automatic checkers are used.
strcpy(dst, src);
Risk Assessment
Failure to handle error codes or other values returned by functions can lead to incorrect program flow and violations of data integrity.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP12-C | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
|
|
| |
| 2017.07 | CHECKED_RETURN | Finds inconsistencies in how function call return values are handled. Coverity Prevent cannot discover all violations of this recommendation, so further verification is necessary | |
| 1.2 | CC2.EXP12 | Fully implemented | |
| 2024.3 | SV.RVT.RETVAL_NOTTESTED |
| |
| 9.7.1 | 382 S | Fully implemented | |
| PRQA QA-C | Unable to render {include} The included page could not be found. | 3200 | Fully implemented |
| 3.1.1 |
|
|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C++ Secure Coding Standard | EXP12-CPP. Do not ignore values returned by functions or methods |
| CERT Oracle Secure Coding Standard for Java | EXP00-J. Do not ignore values returned by methods |
| ISO/IEC TR 24772:2013 | Passing Parameters and Return Values [CSJ] |
| MITRE CWE | CWE-754, Improper check for unusual or exceptional conditions |
Bibliography
| [ISO/IEC 9899:2011] | Subclause 6.8.3, "Expression and Null Statements" |