SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

C99 defines assert() to have the following behavior [[ISO/IEC 9899-1999]]

The assert macro puts diagnostic tests into programs; it expands to a void expression. When it is executed, if expression (which shall have a scalar type) is false (that is, compares equal to 0), the assert macro writes information about the particular call that failed (including the text of the argument, the name of the source file, the source line number, and the name of the enclosing function — the latter are respectively the values of the preprocessing macros __FILE__ and __LINE__ and of the identifier __func__) on the standard error stream in an implementation-defined format. It then calls the abort function.

Because assert() calls abort(), cleanup functions registered with atexit() are not called. If the intention of the programmer is properly cleanup in the case of a failed assertion, a signal handler that calls exit() should be installed to handle SIGABRT.

See ERR04-A. Choose an appropriate termination strategy for more information on program termination strategies and MSC11-A. Incorporate diagnostic tests using assertions for more information on using the assert() macro.

Non-Compliant Code Example

void cleanup(void) {
  /* delete temporary files, restore consistent state, etc. */
}

int main(void) {
  atexit(cleanup);

  /* ... */

  assert(/* something bad didn't happen */);

  /* ... */
}

If the assert() fails, the cleanup() function is not called.

Compliant Solution

void sigabrt_handler(int signum) {
  exit(EXIT_FAILURE);
}

void cleanup(void) {
  /* delete temporary files, restore consistent state, etc */
}

int main(void) {
  atexit(cleanup);
  signal(SIGABRT, sigabrt_handler);

  /* ... */

  assert(/* something bad didn't happen */);

  /* ... */
}

Note that this example is not a violation of SIG30-C. Call only asynchronous-safe functions within signal handlers because abort() is called synchronously by assert().

Risk Analysis

Unsafe usage of abort() may leave files written in an inconsistent state. It may also leave sensitive temporary files on the filesystem.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 7.2.1.1, "The assert macro", 7.20.4.1, "The abort function"

ERR05-A. Application-independent code must provide error detection without dictating error handling      12. Error Handling (ERR)       ERR30-C. Set errno to zero before calling a function, and use it only after the function returns a value indicating failure

  • No labels