The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. This standard reports when a procedure name is reused in any another context within the same file.
#include "c_standards.h" void foo(UINT_32 p_1) { UINT_32 x = p_1; } /******************************************************** * Standard 1 S : Procedure name reused. ********************************************************/ void static_1(void) { UINT_32 foo = 1u; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.1.1 | ||
CERT-J | : | SCP02-J | ||
CMSE | : | 1.1.1 | ||
DERA | : | 21 | ||
GJB | : | 4.1.1.1 | ||
HIS | : | 21 | ||
LMTCP | : | 248 | ||
MISRA-AC | : | 5.2, 5.7 | ||
MISRA-C:1998 | : | 21 | ||
MISRA-C:2004 | : | 5.2, 5.7 |
The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. A label name is reused and hides another definition. This is compiler dependent, and is only relevant for first generation C compilers.
#include "c_standards.h" /******************************************************** * Standard 2 S : Label name reused. * (Superceded by other penalties depending on implementation) ********************************************************/ void static_2 (void) { UINT_32 value_x = 1u; UINT_32 y=0; value_x: y=1; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Not Known * Source Code & Violations Not Known * Reformatted Code Not Known * Individual Quality Report Not Known * */
CAST | : | 5.1.2 | ||
CERT-J | : | SCP02-J | ||
CMSE | : | 1.1.2 | ||
DERA | : | 12 | ||
GJB | : | 4.1.1.2 | ||
LMTCP | : | 16 | ||
MISRA-AC | : | 5.7 | ||
MISRA-C:1998 | : | 12 | ||
MISRA-C:2004 | : | 5.7 |
This standard enables managers to control the amount of code in each file. The limit is user definable. The *** symbols refer to a user definable number for this standard, defaulting to 2000. The configuration is made in the c/cpppen.dat file. Instructions for making alterations can be found in the manual.
This standard enables managers to control the size of the procedures. The *** symbols refer to a user definable number for this standard, defaulting to 200. The configuration is made in the c/cpppen.dat file. Instructions for making alterations can be found in the manual.
#include "C_STANDARDS.H" BOOL isHexDigit( CHAR Hex ); /******************************************************** * Standard 4 S : Procedure exceeds *** reformatted lines ********************************************************/ BOOL isHexDigit( CHAR Hex ) { BOOL bResult; bResult = FALSE; if ((Hex == '0') || (Hex == '1') || (Hex == '2') || (Hex == '3') || (Hex == '4') || (Hex == '5') || (Hex == '6') || (Hex == '7') || (Hex == '8') || (Hex == '9') || (Hex == 'A') || (Hex == 'a') || (Hex == 'B') || (Hex == 'b') || (Hex == 'C') || (Hex == 'c') || (Hex == 'D') || (Hex == 'd') || (Hex == 'E') || (Hex == 'e') || (Hex == 'F') || (Hex == 'f')) { bResult = TRUE; } return bResult; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations No * Reformatted Code No * Individual Quality Report Yes * */
The use of empty then clauses can be due either to errors or deliberate avoidance of negative boolean expressions. The options flagged are:
if(...) else if(...) {} else if(...) {;} else
The inclusion of a comment within the empty then clause { /* ... */ } is deemed to indicate that the absence of executable code is deliberate, and hence no standard will report in this circumstance.
if(...) { /* ... */ } else
#include "c_standards.h" /******************************************************** * Standard 5 S : Empty then clause ********************************************************/ void static_5(void) { UINT_32 value_x = 1u; if (value_x == 0u) { #if FALSE value_x = value_x + 1u; #endif } if (value_x == 0u) {;} } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
The use of procedure pointers is considered to be dangerous by some bodies and needs to be tightly controlled. For example, the pointer could be rogue, and also will obscure control flow.
#include "c_standards.h" void foo(UINT_32 p_1, UINT_16 p_2) { /* ... */ } /******************************************************** * Standard 6 S : Procedure pointer declared. ********************************************************/ void static_6(void) { void (*proc_pointer) (UINT_32 p_1, UINT_16 p_2) = foo; proc_pointer(1u,1); /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This is compiler dependent but most commonly is a use of longjmp. This is generally considered bad practice.
#include <setjmp.h> #include "c_standards.h" /****************************************************************** * Standard 7 S : jump out of procedure ******************************************************************/ static void static_7(jmp_buf mark, SINT_32 val) { longjmp(mark,val); } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of empty else clauses can either be due to incomplete code or deliberate policy to show that the possibility has been considered. The options flagged are:
else ; else { } else {;}
The inclusion of a comment within the empty else clause { /* ... */ } is deemed to indicate that the absence of executable code is deliberate, and hence no standard will report in this circumstance:
else { /* ... */ }
#include "c_standards.h" /******************************************************** * Standard 8 S : Empty else clause ********************************************************/ void static_8 (void) { UINT_32 name_x = 1u; if (name_x == 0u) { /* ... */ } else ; if (name_x == 0u) { /* ... */ } else { #if FALSE name_x = name_x + 1u; #endif } if (name_x == 0u) { /* ... */ } else { ; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
The assignment operator (=) sets an lvalue, whereas the equality operator (==) performs a comparison. It is possible that the assignment operator was typed in error. It can also cause unexpected side effects.
This standard can be relaxed to allow postfix increment and decrement operators on the RHS of an assignment or in a comparison to NULL by configuring the modifiers 259 and 266 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 9 S : Assignment operator in expression. ********************************************************/ BOOL static_9(BOOL test) { BOOL result,flag; result = ( flag = test ); return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CERT-C | : | EXP30-C, EXP31-C, FIO41-C, PRE31-C | ||
CMSE | : | 6.1.1 | ||
DERA | : | 33, 35, 40, 46 | ||
EADS-C | : | 166, 167 | ||
GJB | : | 4.6.1.1 | ||
HIC++ | : | 10.3, 10.5, 10.6 | ||
HIS | : | 33, 35, 40, 46 | ||
JSF++ AV | : | 160, 204 | Modifiers : 259 = 1 | |
LMTCP | : | 362 | ||
MISRA-AC | : | 12.2 | ||
MISRA-C++:2008 | : | 5-0-1, 6-2-1 | ||
MISRA-C:1998 | : | 33, 35, 40, 46 | ||
MISRA-C:2004 | : | 12.2 | ||
NETRINO | : | 8.6.a | ||
SEC-C | : | R3.2.2 |
The use of curly brackets, {}, in controlled clauses is recommended for maintenance purposes. Upon detection of this standards violation LDRA Testbed inserts the required brackets into the reformatted code to permit instrumentation.
#include "c_standards.h" /******************************************************** * Standard 11 S : No brackets to loop body ********************************************************/ SINT_32 static_11(SINT_32 p_1) { SINT_32 j = 10; SINT_32 k = 0; for (k = 0; k < 10; k = k + 1) j--; return j; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.2.1, 5.2.2 | ||
CMSE | : | 2.1.2 | ||
CWE | : | 483 | ||
DERA | : | 59 | ||
EADS-C | : | 145, 165, 166, 167 | ||
ESA-BSSC | : | 12 | ||
GJB | : | 4.2.1.1, 4.2.1.2 | ||
HIC++ | : | 5.1 | ||
HIS | : | 59 | ||
JSF++ AV | : | 59 | ||
LMTCP | : | 84 | ||
MISRA-AC | : | 14.8 | ||
MISRA-C++:2008 | : | 6-3-1 | ||
MISRA-C:1998 | : | 59 | ||
MISRA-C:2004 | : | 14.8 | ||
NETRINO | : | 1.3.a | ||
SEC-C | : | M2.1.2 |
The use of curly brackets, {}, in controlled clauses is recommended for maintenance purposes. Upon detection of this standards violation LDRA Testbed inserts the required brackets into the reformatted code to permit instrumentation.
This standard can be relaxed to allow else if ( rather than else { if } ) by setting the tbend modifier to F in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 12 S : No brackets to then/else ********************************************************/ SINT_32 static_12(SINT_32 p_1, SINT_32 p_2) { SINT_32 i = 1; SINT_32 j = 0; if (p_1 > 0) { i = i - 1; } else i = i + 1; /* not compliant */ if (p_2 > 0) { j = j + p_2; } else if (p_2 < 0) /* not compliant but permitted with modifier */ { j = j - p_2; } else { j = i; } return j; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.2.3 | ||
CERT-C | : | MSC01-C | ||
CMSE | : | 2.1.3 | ||
CWE | : | 483 | ||
DERA | : | 59 | ||
EADS-C | : | 145 | Modifiers : tbend F | |
ESA-BSSC | : | 12 | ||
GJB | : | 4.2.1.3 | ||
HIC++ | : | 5.1 | ||
HIS | : | 59 | Modifiers : tbend F | |
JSF++ AV | : | 59 | Modifiers : tbend F | |
LMTCP | : | 84 | ||
MISRA-AC | : | 14.9 | Modifiers : tbend F | |
MISRA-C++:2008 | : | 6-4-1 | Modifiers : tbend F | |
MISRA-C:1998 | : | 59 | Modifiers : tbend F | |
MISRA-C:2004 | : | 14.9 | Modifiers : tbend F | |
NETRINO | : | 1.3.a | ||
SEC-C | : | R3.5.1 |
The use of goto is usually considered bad practice, as its use leads to unstructured code.
#include "c_standards.h" /******************************************************** * Standard 13 S : goto detected. ********************************************************/ void static_13(void) { SINT_32 jump_flag = 0; start: jump_flag++; if (jump_flag <10) { goto start; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.5.2 | ||
CMSE | : | 5.1.2 | ||
DERA | : | 56 | ||
EADS-C | : | 119 | ||
GJB | : | 4.5.1.2 | ||
HIC++ | : | 5.8 | ||
HIS | : | 56 | ||
JPL | : | 1 | ||
JSF++ AV | : | 189 | ||
LMTCP | : | 340 | ||
MISRA-AC | : | 14.4 | ||
MISRA-C:1998 | : | 56 | ||
MISRA-C:2004 | : | 14.4 | ||
NETRINO | : | 1.7.c, 8.5.a | ||
SEC-C | : | M3.1.2 |
This standard is not applicable to java.
Passing procedures as parameters is an issue on which authorities are divided. They can be used to generalise software, but also to obscure control flow. This standard will report any instances encountered.
#include "c_standards.h" void test_14s(SINT_32 p_1) { /* ... */ } /******************************************************** * Standard 14 S : Procedural parameter declared. ********************************************************/ void static_14(void (*p_proc_pointer)(SINT_32 parameter_1) ) { p_proc_pointer = test_14s; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to java.
A structure field with no name cannot be accessed. These occur in contexts such as:
struct atag { struct anothertag{...};....};
The use of this code construct may be used to force alignment in certain compilers, but this is non portable.
This standard can be relaxed to allow anonymous fields which are tagged structures by configuring the modifier 245 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 15 S : Anonymous field to structure. ********************************************************/ struct s_15 { UINT_32 xs; struct {UCHAR ac, ab;};}; void static_15(void) { struct s_15 sb; sb.xs = 1; /* ...*/ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CMSE | : | 1.1.3 | ||
DERA | : | 108, 113 | ||
GJB | : | 4.1.1.3 | ||
HIS | : | 108, 113 | ||
JSF++ AV | : | 156 | Modifiers : 245 = 1 | |
LMTCP | : | 16, 285 | Modifiers : 245 = 1 | |
MISRA-AC | : | 1.2 | ||
MISRA-C:1998 | : | 108, 113 | ||
MISRA-C:2004 | : | 1.2 |
This standard is not applicable to java.
With the exception of case labels, the use of multiple consecutive labels is considered redundant by some authorities, only one is required.
#include "c_standards.h" /******************************************************** * Standard 16 C : Multiple labels declared ********************************************************/ static void static_16(void) { start:begin: /* ... */ ; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard reports the presence of any sections of assembler code, which are compiler dependent.
/******************************************************* * Standard 17 S : Code insert found. *******************************************************/ static void static_17(void) { _asm { mov eax,01h } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to java.
The trade-off between the use of global variables and parameters is a complex issue, but parameter passing is less efficient than using globals. Also parameters could be grouped into structures to reduce the complexity of the interface. The *** symbols refer to a user definable number for this standard, defaulting to six. The configuration is made in the c/cpppen.dat file. Instructions for making alterations can be found in the manual.
This standard can be relaxed to allow constructors to exceed the specific number of parameters by configuring the modifier 209 in the cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" void static_18(UINT_32 p_1, UINT_32 p_2, UINT_32 p_3, UINT_32 p_4, UINT_32 p_5, UINT_32 p_6, UINT_32 p_7, UINT_32 p_8, UINT_32 p_9, UINT_32 p_10, UINT_32 p_11, UINT_32 p_12, UINT_32 p_13, UINT_32 p_14, UINT_32 p_15, UINT_32 p_16) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.1.20 | ||
CMSE | : | 1.2.3 | ||
GJB | : | 4.1.2.3 | ||
HIC++ | : | 4.3 | ||
JSF++ AV | : | 110 | Modifiers : 209 = 1 | |
LMTCP | : | 205 | Modifiers : 209 = 1 |
This standard reports when an uncalled procedure receives a procedural parameter, (which therefore cannot be called).
#include "c_standards.h" void static_19( void ( * p_proc_pointer )(void) ); /******************************************************** * Standard 19 S : Procedural parameter used in unused procedure. ********************************************************/ void static_19( void ( * p_proc_pointer )(void) ) { p_proc_pointer(); } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to java.
As part of LDRA Testbed's strong type checking, this standard reports when a partial declaration or definition of a procedure is encountered. Some compilers allow default types for parameters, which introduces non-portability and relies on the underlying implementation, rather than the specific code.
#include "c_standards.h" /******************************************************** * Standard 20 S : Parameter not declared explicitly. ********************************************************/ UINT_32 static_20_135( p_1 ) { UINT_32 result; result = p_1 * 2; return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
This standard is not applicable to c++ and java.
Some compilers will successfully link regardless of the numbers of actual and formal parameters. This standard reports any mismatches in the number of parameters between the declaration and the call.
#include "c_standards.h" UINT_32 test_21(UINT_32 p_1, UINT_16 p_2) { UINT_32 result = 0; result = p_1 + p_2; return result; } /******************************************************** * Standard 21 S : Number of parameters does not match. ********************************************************/ void static_21(UINT_32 p_1, UINT_16 p_2) { test_21(1, 2 ,2u); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.7.1 | ||
CERT-C | : | DCL07-C | ||
CMSE | : | 7.1.1 | ||
CWE | : | 234, 235, 685 | ||
DERA | : | 78 | ||
GJB | : | 4.7.1.1 | ||
HIS | : | 78 | ||
MISRA-AC | : | 16.6 | ||
MISRA-C:1998 | : | 78 | ||
MISRA-C:2004 | : | 16.6 |
This standard is not applicable to c++ and java.
Early versions of C (non-ANSI) had a reverse ordering for [operator] assign syntax. Examples of the ambiguous operators are:
=- =* =+
where a careless initialisation of
i = -1; val = *ptr;
is not the same as
i =- 1; val =* ptr;
#include "c_standards.h" /***************************************************** * Standard 22 S : Use of obsolete language feature. *****************************************************/ void static_22(void) { SINT_32 b = 1, a = 0; a =- b; a =+ b; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard reports procedures in a file containing a main procedure, that are not called from any other routines in that file. If this is part of a system then they may be called from another file. The suggestion is that these procedures could be sensibly moved to another file.
#include "c_standards.h" /******************************************************** * Standard 23 S : Procedure is not called in text analysed. ********************************************************/ UINT_32 static_23(UINT_32 p) { UINT_32 x = 1u; x = x + p; return x; } SINT_32 main(void) { /* ... */ return (0); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations No * Reformatted Code No * Individual Quality Report Yes File * */
Warns that LDRA Testbed NO_ANALYSIS annotation has been utilised within the analysis scope. This means that the user has intentionally not analysed all of the code within the source file.
#include "c_standards.h" /******************************************************* * Standard 24 S : Use of Noanalysis annotation. *******************************************************/ void static_24(void) { UINT_32 x; x=1; /*LDRA_NOANALYSIS*/ x = x + 1u; /*LDRA_ANALYSIS*/ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
These correspond to cases which fall through to the following case or default. They should be inspected to see if a break statement is missing.
#include "c_standards.h" /******************************************************** * Standard 25 S : Null case(s) in switch statement ********************************************************/ SINT_32 static_25(SINT_32 p_1) { SINT_32 i = 0, j = 0; switch (p_1) { case 0: j = 0; break; case 1: case 2: j=i; break; default: i = j + 1; } return i + j; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Control Structure * Source Code & Violations Yes Control Structure * Reformatted Code Yes Control Structure * Individual Quality Report Yes * */
These are the simple cases of:
for(;;) while(1) {...} do .. while(1)
These may be used for legitimate purposes, for example in Real-Time systems, but the potential for dangerous behaviour is still reported. Further infinite loop detection is performed in Complexity and Dataflow Analysis.
#include "c_standards.h" /******************************************************** * Standard 26 S : Infinite loop used ********************************************************/ void static_26 (void) { UINT_32 a=0; while (1) { /* ... */ } do { /* ... */ } while (1); for (a=0;;a++) /* No Condition Expression */ { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
If the procedure returns void, then any return statement should not return a value. 36 S reports on functions without a corresponding return value.
#include "c_standards.h" /******************************************************** * Standard 27 S : VOID procedure with return statement. ********************************************************/ void static_27( UINT_32 p_1, UINT_32 p_2) { UINT_32 result; result = p_1 + p_2; return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
Reports when a derived class is based upon different classes which have a common base class.
void STATIC_028(void); class Base { public: Base(); ~Base(); }; Base::Base(void) { /* ... */ }; Base::~Base(void) { /* ... */ }; class Sub1: public Base { /* ... */ }; class Sub2: public Base { /* ... */ }; /******************************************************** * Standard 28 S : Duplicated Base Classes in a Derived class. ********************************************************/ class static_028 : public Sub1, public Sub2 { /* ... */ }; /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report No * */
HIC++ | : | 3.3.15 |
This standard is not applicable to c and java.
Some organisations believe that the use of these constructs is dangerous.
#include "c_standards.h" /***************************************************** * Standard 29 S : Use of += or -= operators found. *****************************************************/ void static_29(void) { UINT_32 x = 1u; UINT_32 y = 2u; UINT_32 z = 3u; BOOL flag = FALSE; x+=1; z+=y; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
The use of these operators in an expression is considered dangerous because of the side effect. This standard should also be considered in conjunction with 124 S which flags all prefix uses of ++ and --. Users are advised to select one or other of these standards.
This standard can be relaxed to allow the use of ++ and -- in stand-alone expressions and the 3rd expression of a for loop by configuring the modifier 122 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file. By default, the standard is configured to permit the relaxed use as described.
#include "c_standards.h" void foo( UINT_32 p_x) { /* ... */ } /***************************************************** * Standard 30 S : Deprecated usage of ++ or -- operators found. *****************************************************/ void static_30(void) { UINT_32 x = 1u; UINT_32 y = 2u; BOOL flag = FALSE; if (flag == FALSE) { x++; /* not compliant but permitted with modifier 122 */ } x = x + y++; /* not compliant */ foo( x++ ); /* not compliant */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CERT-C | : | EXP30-C, EXP31-C | ||
CMSE | : | 8.2.2 | ||
CWE | : | 737 | Modifiers : 122 = 1 | |
DERA | : | 33, 46 | ||
GJB | : | 4.8.2.2 | ||
HIC++ | : | 10.3 | ||
HIS | : | 33, 46 | ||
LMTCP | : | 304 | ||
MISRA-AC | : | 12.2, 12.13 | ||
MISRA-C++:2008 | : | 5-0-1, 5-2-10 | ||
MISRA-C:1998 | : | 33, 46 | ||
MISRA-C:2004 | : | 12.2, 12.13 | ||
SEC-C | : | R3.6.1 |
Using a break statement in a loop is considered by some to violate the rules of structured programming, as it causes a loop to have more than one exit.
#include "c_standards.h" /******************************************************** * Standard 31 S : Use of break statement in loop ********************************************************/ void static_31 (void) { SINT_32 i=10 ; while (i > -1) { if (i == 0) { break; } i = i - 1; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 11.2.2 | ||
DERA | : | 58 | ||
EADS-C | : | 120 | ||
GJB | : | 4.11.2.2 | ||
HIS | : | 58 | ||
JSF++ AV | : | 191 | ||
LMTCP | : | 342, 362 | ||
MISRA-C:1998 | : | 58 | ||
NETRINO | : | 1.7.e, 8.5.a |
The use of the continue statement is considered by some to violate the rules of structured programming.
#include "c_standards.h" /******************************************************** * Standard 32 S : Use of continue statement ********************************************************/ void static_32 ( SINT_32 p_1) { SINT_32 i = p_1; SINT_32 x = 0; /* ... */ while ( i != 0 ) { i--; if ( x == 0 ) { continue; } } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.8.2 | ||
CMSE | : | 8.2.3 | ||
DERA | : | 57 | ||
EADS-C | : | 119 | ||
GJB | : | 4.8.2.3 | ||
HIS | : | 57 | ||
JSF++ AV | : | 190 | ||
LMTCP | : | 341 | ||
MISRA-AC | : | 14.5 | ||
MISRA-C++:2008 | : | 6-6-3 | ||
MISRA-C:1998 | : | 57 | ||
MISRA-C:2004 | : | 14.5 | ||
NETRINO | : | 1.7.d, 8.5.a | ||
SEC-C | : | M3.1.3 |
The use of these expressions can lead to highly complex code which can be unreadable. There are also often difficulties associated with the correct evaluation of the logical expression, and the termination of the final conditional expression. This standard will report any instances encountered. for example:
x = ( a ? b : c ) /* correct logical and condition terms*/
In this following sample, the logical term could be (a+b) or just b:
x = a + b ? b : c /* potential logical term error */
In this following sample, the final conditional term could be (c+6) or just c, with an addition of 6 to the result of the ternary expression:
x = a ? b : c + 6 /* potential condition error */
#include "c_standards.h" void foo(UINT_32 p_1) { /* ... */ } /***************************************************** * Standard 33 S : Use of ternary expression found. *****************************************************/ void static_33( UINT_32 p_1 ) { static UINT_32 type0 = 0u; static UINT_32 type1 = 0u; ( p_1 == 0) ? foo( type0 ) : foo( type1 ) ; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
A procedure or function prototype or specification was specified with no parameters.
#include "c_standards.h" /******************************************************** * Standard 34 S : No parameters declared in proc specification. ********************************************************/ SINT_32 static_34(); SINT_32 static_34(UINT_32 p) { SINT_32 x = 1; if (p == 0) { x = 0; } return x; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
This standard is not applicable to c++ and java.
If a procedure is declared as static then it has file scope and if it is not called in that file then it is not needed and can be removed.
#include "c_standards.h" static BOOL static_35(UINT_32 p_1); /*************************************************************** * Standard 35 S : Static Procedure is not called in text analysed. ***************************************************************/ static BOOL static_35(UINT_32 p_1) { BOOL ret = FALSE; UINT_32 i = p_1 + 1u; if (i == 0) { ret = TRUE; } return ret; } void main(void) { if(static_35 == FALSE) { /* ... */ ; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
A function should have a return statement. A function without a return will return a chance value, often the top value of the stack. 27 S reports on void procedures with a return statement.
#include "c_standards.h" /******************************************************** * Standard 36 S : Function has no return statement. ********************************************************/ UINT_32 static_36(UINT_32 p_1, UINT_16 p_2) { UINT_32 y=p_1; /* Not returning a value */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
CAST | : | 5.9.1 | ||
CMSE | : | 9.1.1 | ||
CWE | : | 758 | ||
DERA | : | 75 | ||
GJB | : | 4.9.1.1 | ||
HIC++ | : | 5.10 | ||
HIS | : | 75 | ||
JSF++ AV | : | 114 | ||
LMTCP | : | 209 | ||
MISRA-AC | : | 16.8 | ||
MISRA-C++:2008 | : | 8-4-3 | ||
MISRA-C:1998 | : | 75 | ||
MISRA-C:2004 | : | 16.8 |
Some compilers allow a parameter to have a type but no name. The parameter cannot actually be used.
#include "c_standards.h" struct s_type_b { UINT_32 xs; }; /********************************************************** * Standard 37 S : Procedure Parameter has a type but no identifier. * Does not Compile with VC++ ********************************************************/ void static_37_a(UINT_32 p_1, struct s_type_b *); void static_37_a(UINT_32 p_1, struct s_type_b *) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Definition and Procedure Header * Source Code & Violations Yes Definition and Procedure Header * Reformatted Code Yes Definition and Procedure Header * Individual Quality Report Yes * */
CAST | : | 5.1.6 | ||
CMSE | : | 1.1.7 | ||
DERA | : | 73 | ||
GJB | : | 4.1.1.7 | ||
HIS | : | 73 | ||
LMTCP | : | 233 | ||
MISRA-AC | : | 16.3 | ||
MISRA-C:1998 | : | 73 | ||
MISRA-C:2004 | : | 16.3 | ||
NETRINO | : | 6.2.f | ||
SEC-C | : | M4.5.1 |
Some bodies consider the use of global variables to be bad practice. A class with a static data member is therefore also considered bad practice. Static member functions also introduce the prospect of runtime initialization errors, so their use is also considered unsafe.
#include "c_standards.h" /******************************************************** * Standard 38 S : Use of Static class member. ********************************************************/ class Counter { public: Counter(); ~Counter(); static UINT_32 Count(); private: static UINT_32 numItems; }; Counter::Counter(void) { numItems++; } Counter::~Counter(void) { numItems--; } UINT_32 Counter::Count(void) { return numItems; } UINT_32 Counter::numItems = 0; /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report No * */
CWE | : | 500 |
This standard is not applicable to c.
There are many unsuitable types for loop indices, particularly floating point variables. For these the number of loop executions can cause surprises.
#include "c_standards.h" /******************************************************** * Standard 39 S : Unsuitable type for loop variable ********************************************************/ void static_39( void ) { FLOAT_32 f = 0.0F; for (f = 0.0F; f < 10.0F; f = f + 1.0F) { /* ... */ ; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.11.1 | ||
CERT-C | : | FLP30-C | ||
CERT-J | : | FLP30-J | ||
CMSE | : | 11.1.1 | ||
DERA | : | 65 | ||
GJB | : | 4.11.1.1 | ||
HIS | : | 65 | ||
JSF++ AV | : | 197 | ||
LMTCP | : | 349 | ||
MISRA-AC | : | 13.4 | ||
MISRA-C:1998 | : | 65 | ||
MISRA-C:2004 | : | 13.4 | ||
SEC-C | : | R2.1.2, R2.4.1 |
Some authorities believe that loop indices should be declared in the smallest enclosing scope.
#include "c_standards.h" UINT_32 global_f = 0; /******************************************************** * Standard 40 S : Loop index not declared locally ********************************************************/ SINT_32 loop_standards (SINT_32 p_1) { SINT_32 j = 10; for (global_f = 0; global_f < 10; global_f = global_f + 1) { j--; } return j; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
An ellipsis (...) allows a procedure to receive a variable number of parameters, which prevents any checking activity. This is a construct which can be heavily abused.
#include "c_standards.h" #include <stdarg.h> /******************************************************** * Standard 41 S : Ellipsis used in procedure parameter list. ********************************************************/ UINT_32 static_41(UCHAR* p_1,...) { va_list ap; UCHAR* t; va_start(ap, p_1); t = va_arg(ap, UCHAR*); va_end(ap); return 1u; } void dummy(void) { static_41("xyz","s"); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
CAST | : | 5.1.7 | ||
CERT-C | : | DCL10-C, DCL11-C | ||
CERT-J | : | DCL02-J | ||
CMSE | : | 1.1.8 | ||
CWE | : | 628 | ||
DERA | : | 69 | ||
EADS-C++ | : | 40 | ||
GJB | : | 4.1.1.8 | ||
HIC++ | : | 11.6 | ||
HIS | : | 69 | ||
JPL | : | 8 | ||
JSF++ AV | : | 108 | ||
LMTCP | : | 203 | ||
MISRA-AC | : | 16.1 | ||
MISRA-C++:2008 | : | 8-4-1 | ||
MISRA-C:1998 | : | 69 | ||
MISRA-C:2004 | : | 16.1 | ||
SEC-C | : | R2.8.2 |
Bit fields are a source of difficulty in C because of ambiguities in the ANSI standard. The representation of the bit field is implementation defined, hence no assumptions can be made about such issues as alignment.
#include "c_standards.h" /******************************************************** * Standard 42 S : Use of bit field in structure declaration. ********************************************************/ struct bitfield1 {UINT_32 x:1;}; /*-- Function prototypes --*/ void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.1.21 | ||
CMSE | : | 1.2.4 | ||
GJB | : | 4.1.2.4 | ||
MISRA-AC | : | 3.5 | ||
MISRA-C++:2008 | : | 9-6-1 | ||
MISRA-C:2004 | : | 3.5 | ||
SEC-C | : | P1.3.3 |
This standard is not applicable to java.
The use of these constructs can lead to many difficulties including lack of portability and structure.
#include <setjmp.h> #include "c_standards.h" jmp_buf env; /******************************************************** * Standard 43 S : setjmp/longjmp used ********************************************************/ void call_longjmp(SINT_32 val) { longjmp(env,val); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.5.3 | ||
CERT-C | : | ENV33-C | ||
CMSE | : | 5.2.1 | ||
DERA | : | 122 | ||
GJB | : | 4.5.2.1 | ||
HIS | : | 122 | ||
JPL | : | 1 | ||
JSF++ AV | : | 20 | ||
LMTCP | : | 24 | ||
MISRA-AC | : | 20.7 | ||
MISRA-C++:2008 | : | 17-0-5 | ||
MISRA-C:1998 | : | 122 | ||
MISRA-C:2004 | : | 20.7 |
This standard is not applicable to java.
In many installations there are reasons for banning the use of particular items:
procedures or functions from libraries ( malloc, calloc and realloc ),
library files,
specific names.
For example:
calloc, malloc, realloc, free, errno, offsetof, va_arg, va_start, va_end, atof, atoi, atol, abort, exit, getenv, system, bsearch, qsort, isalnum, qsort, isalnum, isalpha, iscntrl, islower, imprint, isupper, perror, strerror, and fmod are all banned for C by default
setlocale is banned in C++.
To set up a ban, the c/cppvals.dat file will need specific entries for each procedure or function name, marked as type 240. Instructions for making alterations can be found in the manual. Users can add extra entries into this data file in the same format as the default entries:
240 11 banned_proc
#include "c_standards.h" #include <stdarg.h> /******************************************************** * Standard 44 S : Use of banned function or variable. ********************************************************/ UINT_32 static_41(UCHAR* p_1,...) { va_list ap; UCHAR* t; va_start(ap, p_1); t = va_arg(ap, UCHAR*); va_end(ap); return 1u; } void dummy(void) { static_41("xyz","s"); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | DCL03-C, INT06-C | ||
CMSE | : | 7.1.4 | ||
CWE | : | 78, 187, 242, 338, 365, 475, 676 | ||
DERA | : | 69, 118, 119, 120, 121, 125, 126 | ||
EADS-C++ | : | 59 | ||
GJB | : | 4.7.1.4 | ||
HIC++ | : | 8.3.3, 12.2, 17.9, 17.13 | ||
HIS | : | 69, 118, 119, 120, 121, 125, 126 | ||
JPL | : | 3 | ||
JSF++ AV | : | 13, 17, 18, 19, 21, 22, 23, 24, 25 | ||
LMTCP | : | 21, 22, 23, 27, 28, 200, 368, 372 | ||
MISRA-AC | : | 20.1, 20.4, 20.5, 20.6, 20.10, 20.11 | ||
MISRA-C++:2008 | : | 17-0-1, 18-0-2, 18-2-1, 18-4-1, 19-3-1 | ||
MISRA-C:1998 | : | 69, 118, 119, 120, 121, 125, 126 | ||
MISRA-C:2004 | : | 20.1, 20.4, 20.5, 20.6, 20.10, 20.11 | ||
SEC-C | : | M5.2.1 |
This standard reports the use of C++ keywords in C files, as specified as type 241 in the cvals.dat file. Instructions for making alterations can be found in the manual. Users can add extra entries into this data file in the same format as the default entries:
241 9 namespace
241 5 throw
241 5 class
241 6 public
241 7 private
241 9 protected
241 8 operator
241 3 new
241 8 template
241 7 virtual
241 6 delete
241 6 friend
241 4 cout
241 3 cin
241 4 endl
Whilst these are permitted in C it precludes the code from being compiled by a C++ compiler.
For C code, the cvals.dat file must be altered.
#include "c_standards.h" /******************************************************** * Standard 45 S : Use of C++ keyword ********************************************************/ void static_45(void) { UINT_32 public = 0; UINT_32 private = 0; UINT_32 protected = 0; UINT_32 operator = 0; UINT_32 new = 0; UINT_32 template = 0; UINT_32 virtual = 0; UINT_32 delete = 0; UINT_32 friend = 0; UINT_32 cout = 0; UINT_32 cin = 0; UINT_32 endl = 0; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to c++ and java.
In some environments the use of extern is closely controlled, for instance only specified included files may contain such types. Files allowed to use the extern keyword are identified by including an entry in the data file c/cpptbend.dat. Instructions for making alterations can be found in the manual.
Locate the line:
-1 1 Put File name for permitted extern keyword use before here
and insert any files ahead of the above, using the following structure:
1 28 c:\mysource\extern_in_here.c -1 1 Put File name for permitted extern keyword use before here
where the line format is: (I4(1), I5 (length of filename), <space>, <filename including path> );
#include "c_standards.h" /******************************************************** * Standard 46 S : Use of extern not permitted in this file. ********************************************************/ extern UINT_32 undef_global; void static_46(void) { undef_global = 1u; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Definition * Source Code & Violations Yes Definition * Reformatted Code Yes Definition * Individual Quality Report Yes Global * */
This standard is not applicable to java.
An index has been found which is not in the range specified for the array. This standard is enforced for local arrays that are explicitly declared or whose size can be determined from their initialisation. For example:
int a[4]; int b[] = {0, 0, 0, 0}; .. a[5] .. .. b[5] ..
are detected.
The use of array manipulation via pointers, i.e. procedure parameters, are reported using 87 S. The use of global arrays or indexing via procedure calls are reported using 64 X, 68 X, 69 X and 72 X.
#include "c_standards.h" /********************************************************* * Standard 47 S : Array Bounds Exceeded *********************************************************/ void STATIC_047(void) { SINT_32 array[5] = {0,0,0,0}; array[5] = 1; } /* * * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.6.2 | ||
CERT-C | : | ARR30-C | ||
CMSE | : | 6.1.2 | ||
CWE | : | 121, 124, 126, 127, 129, 193, 466, 758, 823 | ||
DERA | : | 4 | ||
GJB | : | 4.6.1.2 | ||
HIC++ | : | 10.2 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C++:2008 | : | 5-0-16 | ||
MISRA-C:1998 | : | 4 | ||
MISRA-C:2004 | : | 21.1 |
If a switch statement contains no default the processing continues at the next statement. Inserting a default clause implies that some thought has been given to the issue.
This standard can be relaxed to allow switch statements on enumerated types with no default statement by configuring the modifier 252 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 48 S : No default case in switch statement ********************************************************/ void static_48(SINT_32 p_1) { SINT_32 i = 0, j = 0; switch (p_1) { case 0: j = 0; break; case 1: j=i; break; } /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.3.3 | ||
CMSE | : | 3.1.4 | ||
CWE | : | 478 | ||
DERA | : | 62 | ||
EADS-C | : | 163 | ||
GJB | : | 4.3.1.4 | ||
HIS | : | 62 | ||
JSF++ AV | : | 194, 196 | Modifiers : 252 = 1 | |
LMTCP | : | 346 | ||
MISRA-C++:2008 | : | 6-4-6 | ||
MISRA-C:1998 | : | 62 | ||
MISRA-C:2004 | : | 15.3 | ||
NETRINO | : | 8.3.b | ||
SEC-C | : | R3.5.2 |
The use of brackets to clarify the order of evaluation of logical conjunctions and (&&) and or (||) can help eliminate errors and improve maintainability.
This standard can be relaxed to allow function calls without brackets by configuring the modifier 206 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /***************************************************** * Standard 49 S : Logical conjunctions need brackets. *****************************************************/ extern BOOL get_bool ( void ); void static_49(void) { BOOL flag = TRUE; UINT_32 y = 0u, x = 0u, z = 1u; if (x < 0u || z + y != 0u) /* not compliant */ { flag = FALSE; } if ( flag && get_bool() ) /* not compliant unless modifier 206 set */ { flag = FALSE; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.2.4 | ||
CERT-J | : | EXP06-J, EXP09-J | ||
CMSE | : | 2.1.4 | ||
CWE | : | 783 | Modifiers : 206 = 1 | |
DERA | : | 34 | ||
EADS-C | : | 98 | ||
GJB | : | 4.2.1.4 | ||
HIC++ | : | 10.4 | ||
HIS | : | 34 | ||
JSF++ AV | : | 158, 213 | Modifiers : 206 = 1 | |
LMTCP | : | 287, 363 | ||
MISRA-AC | : | 12.1, 12.5 | ||
MISRA-C++:2008 | : | 5-0-2, 5-2-1 | ||
MISRA-C:1998 | : | 34 | ||
MISRA-C:2004 | : | 12.1, 12.5 | ||
NETRINO | : | 1.4.b | ||
SEC-C | : | M1.4.1 |
The shifting of signed types can lead to surprising effects. The result of a shift on a negative value is implementation defined.
#include "c_standards.h" /***************************************************** * Standard 50 S : Use of shift operator on signed type. *****************************************************/ void static_50(void) { SINT_32 b = 1; b >>= 1; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.4 | ||
CERT-C | : | INT13-C | ||
CERT-J | : | INT36-J | ||
CMSE | : | 6.1.3 | ||
CWE | : | 682 | ||
DERA | : | 37 | ||
GJB | : | 4.6.1.3 | ||
HIC++ | : | 10.11, 10.12, 13.6 | ||
HIS | : | 37 | ||
LMTCP | : | 295 | ||
MISRA-AC | : | 12.7 | ||
MISRA-C:1998 | : | 37 | ||
MISRA-C:2004 | : | 12.7 | ||
NETRINO | : | 5.3.b |
Some compilers do not check that the shift operation cannot exceed the word length, effectively allowing the loss of all significance of the variable being shifted. The limits for the standard types need to be specified in the c/cpptbend.dat file. Instructions for making alterations can be found in the manual.
#include "c_standards.h" /***************************************************** * Standard 51 S : Shifting variable too far. *****************************************************/ void static_51(void) { UINT_32 x = 0u; UINT_32 y = 2u; x = y << 34; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.5 | ||
CERT-J | : | INT36-J | ||
CMSE | : | 6.1.4 | ||
CWE | : | 758 | ||
DERA | : | 38 | ||
GJB | : | 4.6.1.4 | ||
HIC++ | : | 10.12 | ||
HIS | : | 38 | ||
JSF++ AV | : | 164 | ||
LMTCP | : | 294 | ||
MISRA-AC | : | 12.8 | ||
MISRA-C++:2008 | : | 5-8-1 | ||
MISRA-C:1998 | : | 38 | ||
MISRA-C:2004 | : | 12.8 | ||
SEC-C | : | R2.5.4 |
There may be an implementation-specific implicit type conversion within the calculation, causing surprising results. This standard reports any instances encountered.
#include "c_standards.h" /***************************************************** * Standard 52 S : Unsigned expression negated. *****************************************************/ void static_52(void) { UINT_32 x = 1u; UINT_32 y = 2u; y = -x; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.6 | ||
CERT-C | : | INT02-C | ||
CMSE | : | 6.1.5 | ||
CWE | : | 192, 197 | ||
DERA | : | 39 | ||
GJB | : | 4.6.1.5 | ||
HIC++ | : | 10.21 | ||
HIS | : | 39 | ||
JSF++ AV | : | 165 | ||
LMTCP | : | 296 | ||
MISRA-AC | : | 12.9 | ||
MISRA-C++:2008 | : | 5-3-2 | ||
MISRA-C:1998 | : | 39 | ||
MISRA-C:2004 | : | 12.9 | ||
SEC-C | : | R2.5.2 |
Some authorities believe that the use of the comma operator outside of a for loop can make code more difficult to read. As this operator only returns the result of the rightmost expression, care should be taken with its use.
This standard can be further restricted to prohibit the use of the comma operator in for loops by configuring the modifier 263 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" UINT_32 foo( UNIT_32 v_1 ) { return (v_1+1); } /***************************************************** * Standard 53 S : Use of comma operator. *****************************************************/ void static_53(void) { UINT_32 x = 1u; x++ , foo(x) ; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.6.15 | ||
CMSE | : | 6.2.1 | ||
DERA | : | 42 | ||
GJB | : | 4.6.2.1 | ||
HIC++ | : | 10.19 | ||
HIS | : | 42 | ||
JSF++ AV | : | 168 | Modifiers : 263 = 1 | |
LMTCP | : | 303 | Modifiers : 263 = 1 | |
MISRA-AC | : | 12.10 | ||
MISRA-C++:2008 | : | 5-18-1 | ||
MISRA-C:1998 | : | 42 | ||
MISRA-C:2004 | : | 12.10 |
This standard is not applicable to java.
The sizeof operator does not compute its operand and hence this can cause surprises if an expression is present.
For example:
in place of
x=sizeof(y=z); /* WRONG - NO assignment takes place*/
use:
y=z; x=sizeof(y); /* correct - returns sizeof type of y*/
#include "c_standards.h" /***************************************************** * Standard 54 S : Sizeof operator with side effects. *****************************************************/ void static_54(void) { UINT_32 x = 1u; UINT_32 a = 1; a = sizeof( x++ ); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | EXP06-C | ||
CMSE | : | 6.2.2 | ||
CWE | : | 737 | ||
DERA | : | 40 | ||
GJB | : | 4.6.2.2 | ||
HIC++ | : | 10.9 | ||
HIS | : | 40 | ||
JSF++ AV | : | 166 | ||
LMTCP | : | 300 | ||
MISRA-AC | : | 12.3 | ||
MISRA-C++:2008 | : | 5-3-4 | ||
MISRA-C:1998 | : | 40 | ||
MISRA-C:2004 | : | 12.3 | ||
SEC-C | : | M3.2.1 |
This standard is not applicable to java.
There is the possibility of side effects being different depending on the order of execution. Note that standard 22 D reports functions which do have side effects.
Standard 1 Q is capable of more sophisticated reporting.
#include "c_standards.h" UINT_32 exp_1(UINT_32 *p_1) { UINT_32 x = *p_1; (*p_1) = x*x; return (x); } UINT_32 exp_2(UINT_32 *p_1) { UINT_32 x = *p_1; (*p_1) = (x % 2); return (x); } /***************************************************** * Standard 55 S : Expression with more than one function. *****************************************************/ void static_55(void) { UINT_32 y = 3, x = 0; x = exp_1(&y) + exp_2(&y); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This standard reports comparison involving equality testing of floating point values. This includes ==, !=, >= and <=. Every float expression has an associated representational error, which cannot be resolved. It is safer to test that the difference between two float values fall below an agreed threshold value, rather than depend on some test featuring an equality comparison, where it is impossible to differentiate between numbers that are really equivalent, and those that are equivalent due to representational errors.
For example:
float x = 1.0f/7.0f; float y = 2.0f/7.0f; x=x*2; if (x==y) { ... } /* incorrect - representational errors*/ if ((x-y) <threshold) { ... } /* correct - threshold testing*/
This standard can be relaxed to permit the use of >= and <= by configuring the modifier 223 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 56 S : Equality comparison of floating point. ********************************************************/ void static_56 ( void) { FLOAT_32 fl, f2; fl = 1.01f; f2 = 2.01f; if (fl == f2) /* not compliant */ { /* ... */ } if (fl == 0.0f) /* not compliant */ { fl = fl + 0.01f; } } /* * * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.14.2 | ||
CERT-C | : | FLP35-C | ||
CMSE | : | 14.1.1 | ||
CWE | : | 682 | ||
DERA | : | 50 | ||
EADS-C | : | 102 | ||
GJB | : | 4.14.1.1 | ||
HIC++ | : | 10.15 | ||
HIS | : | 50 | ||
JSF++ AV | : | 202 | Modifiers : 223 = 1 | |
LMTCP | : | 358 | ||
MISRA-C++:2008 | : | 6-2-2 | ||
MISRA-C:1998 | : | 50 | ||
MISRA-C:2004 | : | 13.3 | ||
NETRINO | : | 5.4.b | ||
SEC-C | : | R2.1.1 |
This is a statement which changes no local or global variables and does not effect the flow of control. It appears that it does not need to be present, and so is reported as a matter for investigation.
#include "c_standards.h" /******************************************************** * Standard 57 S : Statement with no side effect. ********************************************************/ void static_57(void) { UINT_32 x = 0; x; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.8.6 | ||
CERT-C | : | MSC03-C, MSC12-C | ||
CMSE | : | 8.1.4 | ||
CWE | : | 482 | ||
DERA | : | 53 | ||
GJB | : | 4.8.2.5, 5.1.1 | ||
HIC++ | : | 10.10 | ||
HIS | : | 53 | ||
JSF++ AV | : | 187 | ||
LMTCP | : | 338 | ||
MISRA-AC | : | 14.2 | ||
MISRA-C:1998 | : | 53 | ||
MISRA-C:2004 | : | 14.2 | ||
SEC-C | : | M1.9.1 |
The language definition allows null statements but some compilers cannot cope with them and some authorities believe the use is bad practice. For example, the coder may have forgotten to place the required line of code, and so the potential omission is reported as a matter for investigation. If the line is intended to be empty, this penalty may be circumvented with the placement of a comment /* .... */
#include "c_standards.h" /******************************************************** * Standard 58 S : Null statement found. ********************************************************/ void static_58(void) { UINT_32 Timing_Loop = 100; Timing_Loop--;; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.8.4 | ||
CERT-C | : | MSC03-C | ||
CMSE | : | 8.2.5 | ||
DERA | : | 54 | ||
GJB | : | 4.8.2.6 | ||
HIS | : | 54 | ||
LMTCP | : | 91 | ||
MISRA-AC | : | 14.3 | ||
MISRA-C++:2008 | : | 6-2-3 | ||
MISRA-C:1998 | : | 54 | ||
MISRA-C:2004 | : | 14.3 |
This is the complement of 8 S where a dummy entry is deliberately inserted to show that the alternative has been considered.
This standard can be further restricted to check for a missing else in an if statement with no else if by setting the tbend modifier to T in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 59 S : Else alternative missing in if. ********************************************************/ void static_59 (void) { UINT_32 x = 2u; if ( x == 2u ) { /* ... */ ; } else if ( x == 3u) { /* ... */ ; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.3.4 | ||
CERT-C | : | MSC03-C | ||
CMSE | : | 3.1.2 | ||
CWE | : | 697 | ||
DERA | : | 60 | ||
GJB | : | 4.3.1.2 | ||
HIC++ | : | 5.11 | ||
HIS | : | 60 | ||
JSF++ AV | : | 192 | ||
LMTCP | : | 344 | ||
MISRA-AC | : | 14.10 | ||
MISRA-C++:2008 | : | 6-4-2 | ||
MISRA-C:1998 | : | 60 | ||
MISRA-C:2004 | : | 14.10 |
This is the case of a switch statement with no internal processing. It is reported as a matter for investigation.
#include "c_standards.h" /******************************************************** * Standard 60 S : Empty switch statement. ********************************************************/ void static_060(SINT_32 p_1) { SINT_32 i = p_1; switch (i) { } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Control Structure * Source Code & Violations Yes Control Structure * Reformatted Code Yes Control Structure * Individual Quality Report Yes * */
CMSE | : | 3.1.5 | ||
DERA | : | 64 | ||
GJB | : | 4.3.1.5 | ||
HIS | : | 64 | ||
JSF++ AV | : | 196 | ||
MISRA-AC | : | 15.0 | ||
MISRA-C:1998 | : | 64 | ||
MISRA-C:2004 | : | 15.0 |
The only case in this switch statement is a default statement. It is reported as a matter for investigation.
#include "c_standards.h" /******************************************************** * Standard 61 S : Switch contains default only. ********************************************************/ void static_061(SINT_32 p_1) { SINT_32 i = p_1; switch (i) { default: i++; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Control Structure * Source Code & Violations Yes Control Structure * Reformatted Code Yes Control Structure * Individual Quality Report Yes * */
CMSE | : | 3.1.6 | ||
DERA | : | 64 | ||
GJB | : | 4.3.1.6 | ||
HIS | : | 64 | ||
JSF++ AV | : | 196 | ||
LMTCP | : | 348 | ||
MISRA-AC | : | 15.5 | ||
MISRA-C++:2008 | : | 6-4-8 | ||
MISRA-C:1998 | : | 64 | ||
MISRA-C:2004 | : | 15.5 |
One major source of errors in switch statements is the fall through from one case to another, which is only preventable with the break statement or other transfer of control. This standard ensures that only one case can ever be accessed within the switch.
This standard can be relaxed to allow the default statement to have no break statement by configuring the modifier 283 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 62 S : Switch Case Not Terminated with Break ********************************************************/ void static_62(SINT_32 p_1) { SINT_32 i = 0, j = 0; switch (p_1) { case 0: j = 0; /* not compliant*/ case 1: j=i; break; default: i = j + 1; /* not compliant unless modifier set */ } /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.3.6 | ||
CMSE | : | 3.1.7 | ||
CWE | : | 484 | ||
DERA | : | 61 | ||
EADS-C | : | 164 | ||
GJB | : | 4.3.1.7 | ||
HIC++ | : | 5.4 | ||
HIS | : | 61 | ||
JSF++ AV | : | 193 | Modifiers : 283 = 1 | |
LMTCP | : | 345, 348 | ||
MISRA-AC | : | 15.2, 15.5 | ||
MISRA-C++:2008 | : | 6-4-5 | ||
MISRA-C:1998 | : | 61 | ||
MISRA-C:2004 | : | 15.2, 15.5 | ||
SEC-C | : | M3.1.4 |
This standard advocates the use of func(void) rather than func(). This indicates that the lack of parameters is intentional, rather than accidental.
#include "c_standards.h" /************************************************************** * Standard 63 S : Empty Parameter List to procedure/function **************************************************************/ void static_63() { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
CAST | : | 5.1.9 | ||
CMSE | : | 1.1.10 | ||
DERA | : | 76 | ||
EADS-C | : | 109 | ||
GJB | : | 4.1.1.10 | ||
HIS | : | 76 | ||
LMTCP | : | 234 | ||
MISRA-AC | : | 16.5 | ||
MISRA-C:1998 | : | 76 | ||
MISRA-C:2004 | : | 16.5 | ||
SEC-C | : | R2.8.1 |
This standard is not applicable to java.
A procedure which yields a void value can be used in expressions and this is considered dangerous. This is compiler dependent, but is usually seen within a ternary expression.
This standard also applies to procedures that yield a void* value. This standard can be relaxed to allow void* by configuring the modifier 218 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" void foo(void) { /* ... */ } /***************************************************** * Standard 64 S : Void procedure used in expression. * Code Does Not Compile under VC++ *****************************************************/ void static_64(void) { CHAR x; x = (CHAR) foo(); /* not compliant */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.7.4 | ||
CMSE | : | 7.1.7 | ||
CWE | : | 758 | Modifiers : 218 = 1 | |
DERA | : | 79 | ||
GJB | : | 4.7.1.7 | ||
HIS | : | 79 | Modifiers : 218 = 1 | |
MISRA-AC | : | 1.2 | ||
MISRA-C:1998 | : | 79 | Modifiers : 218 = 1 | |
MISRA-C:2004 | : | 1.2 |
This standard is not applicable to java.
Passing void as a parameter can lead to surprising effects and should therefore be avoided.
#include "c_standards.h" void void_para_func(void P1); void void_para_func(void P1) { /* ... */ } /****************************************************************** * Standard 65 S : Void variable passed as parameter. * Does not Compile with VC++ ******************************************************************/ void STATIC_065( void ) { void v_ptr; UINT_32 a; void_para_func(v_ptr); void_para_func((void)a); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 7.1.8 | ||
CWE | : | 758 | ||
DERA | : | 80 | ||
GJB | : | 4.7.1.8 | ||
HIS | : | 80 | ||
MISRA-AC | : | 1.2 | ||
MISRA-C:1998 | : | 80 | ||
MISRA-C:2004 | : | 1.2 |
This standard is not applicable to java.
There is a return in a function but no value is specified so a value is passed by chance.
#include "c_standards.h" /******************************************************** * Standard 66 S : Function with empty return expression. ********************************************************/ UINT_32 static_66(UINT_32 p_1, UINT_16 p_2) { /* ... */ return; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.9.3 | ||
CMSE | : | 9.1.3 | ||
CWE | : | 758 | ||
DERA | : | 83 | ||
GJB | : | 4.9.1.3 | ||
HIC++ | : | 5.10 | ||
HIS | : | 83 | ||
MISRA-AC | : | 16.8 | ||
MISRA-C++:2008 | : | 8-4-3 | ||
MISRA-C:1998 | : | 83 | ||
MISRA-C:2004 | : | 16.8 |
This standard is not applicable to java.
Macro definitions can obscure readability and in particular those defined in inner blocks are considered dangerous because the block scope is not relevant.
#include "c_standards.h" /******************************************************* * Standard 67 S : #Define used in a block. *******************************************************/ void static_067(UINT_32 p_1) { UINT_32 local_x = 0; #define BLOCKDEF "test" local_x = strlen(BLOCKDEF); /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 1.2.5 | ||
DERA | : | 91 | ||
GJB | : | 4.1.2.5 | ||
HIS | : | 91 | ||
MISRA-AC | : | 19.5 | ||
MISRA-C++:2008 | : | 16-0-2 | ||
MISRA-C:1998 | : | 91 | ||
MISRA-C:2004 | : | 19.5 | ||
SEC-C | : | M4.7.5 |
This standard is not applicable to java.
Redefining macros leads to unreadability and is considered bad practice. Therefore there is no need for undef. This standard reports all instances encountered.
#include "c_standards.h" #define BLOCKDEF "test" /******************************************************* * Standard 68 S : #undef used. *******************************************************/ void static_68(void) { UINT_32 local_x=0; local_x = strlen(BLOCKDEF); #undef BLOCKDEF /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 1.2.6 | ||
DERA | : | 92 | ||
GJB | : | 4.1.2.6 | ||
LMTCP | : | 32, 92 | ||
MISRA-AC | : | 19.6, 20.1 | ||
MISRA-C++:2008 | : | 16-0-3, 17-0-1 | ||
MISRA-C:1998 | : | 92 | ||
MISRA-C:2004 | : | 19.6, 20.1 | ||
SEC-C | : | M4.7.6 |
This standard is not applicable to java.
Compiler pragmas can be used to cover up all sorts of problems, therefore their use needs to be controlled.
#include "c_standards.h" /******************************************************* * Standard 69 S : #pragma used. *******************************************************/ #pragma void foo(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 1.2.7 | ||
DERA | : | 99 | ||
GJB | : | 4.1.2.7 | ||
HIC++ | : | 13.4 | ||
HIS | : | 99 | ||
JSF++ AV | : | 26 | ||
LMTCP | : | 247 | ||
MISRA-AC | : | 3.4 | ||
MISRA-C++:2008 | : | 16-6-1 | ||
MISRA-C:1998 | : | 99 | ||
MISRA-C:2004 | : | 3.4 | ||
NETRINO | : | 1.1.c |
This standard is not applicable to java.
The only safe, portable comparison of pointers is to use equality comparisons ( == and != ). This standard reports any other comparisons.
For example:
char * x; char * y; .... if (x>y) { /* Incorrect, Unsafe*/ } if (x!=y) { /* Correct usage*/ }
#include "c_standards.h" /******************************************************** * Standard 70 S : Logical comparison of pointers. ********************************************************/ void static_70(UINT_32 * p1_ptr, UINT_32 * p2_ptr ) { if ( p1_ptr > p2_ptr ) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.4.4 | ||
CMSE | : | 4.2.1 | ||
DERA | : | 103 | ||
GJB | : | 4.4.2.1 | ||
HIS | : | 103 | ||
JSF++ AV | : | 171 | ||
LMTCP | : | 315 | ||
MISRA-C:1998 | : | 103 |
This standard is not applicable to java.
The scope of the pointer is wider than the scope of the pointer being assigned which can lead to dangerous results.
This standard can be relaxed to allow the use of the address of a static object in a return statement by configuring the modifier 222 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
It is acceptable to assign a pointer to data that has lifetime greater than the current scope. For example, data that is created using malloc. The functions that allocate such data are identified by including an entry in the data file c/cpptbend.dat. Instructions for making alterations can be found in the manual.
Locate the line:
C list of allocator functions RDALLC
and add the function names after it:
9 my_malloc
where the line format is:(I5(length of function name), <space>, <name of function> )
#include "c_standards.h" /******************************************************** * Standard 71 S : Pointer assignment to wider scope. ********************************************************/ UINT_32* static_71( void ) { static UINT_32 w = 10u; return &w; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.4.1 | ||
CERT-C | : | DCL30-C, MEM36-C | ||
CMSE | : | 4.1.1, 9.1.6 | ||
CWE | : | 562, 672, 758 | Modifiers : 222 = 1 | |
DERA | : | 106 | ||
GJB | : | 4.4.1.1, 5.1.18 | ||
HIC++ | : | 11.7 | ||
HIS | : | 106 | ||
JSF++ AV | : | 111, 173 | Modifiers : 222 = 1 | |
LMTCP | : | 206, 316 | Modifiers : 222 = 1 | |
MISRA-AC | : | 17.6 | ||
MISRA-C++:2008 | : | 7-5-2 | Modifiers : 222 = 1 | |
MISRA-C:1998 | : | 106 | ||
MISRA-C:2004 | : | 17.6 |
This standard is not applicable to java.
A signed bit field requires 1 bit for the sign, and at least 1 bit for the value.
#include "c_standards.h" /******************************************************** * Standard 72 S : Signed bit field less than 2 bits wide. ********************************************************/ struct static_72{SINT_32 x:1;}; void dummy( void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.7 | ||
CMSE | : | 6.1.6 | ||
DERA | : | 112 | ||
GJB | : | 4.6.1.6 | ||
HIS | : | 112 | ||
LMTCP | : | 283 | ||
MISRA-AC | : | 6.5 | ||
MISRA-C++:2008 | : | 9-6-4 | ||
MISRA-C:1998 | : | 112 | ||
MISRA-C:2004 | : | 6.5 | ||
SEC-C | : | R2.6.2 |
This standard is not applicable to java.
The definition of bit fields make their use for other types dangerous.
#include "c_standards.h" /******************************************************** * Standard 73 S : Bit field not signed or unsigned int. ********************************************************/ struct static_73 { UCHAR x:1; /* Not Compliant */ }; void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.6.8 | ||
CERT-C | : | INT12-C | ||
CMSE | : | 6.1.7 | ||
CWE | : | 758 | ||
DERA | : | 111 | ||
GJB | : | 4.6.1.7 | ||
LMTCP | : | 283 | ||
MISRA-AC | : | 6.4 | ||
MISRA-C:1998 | : | 111 | ||
MISRA-C:2004 | : | 6.4 | ||
SEC-C | : | R2.6.1 |
This standard is not applicable to java.
Unions can be dangerous when the extent of the overlay cannot be certain. Word boundaries are implementation specific.
#include "c_standards.h" /******************************************************** * Standard 74 S : Union declared. ********************************************************/ union static_74{UCHAR fu; UINT_32 xu;}; void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.1.22 | ||
CMSE | : | 1.2.8 | ||
DERA | : | 109, 110, 167 | ||
EADS-C++ | : | 53 | ||
GJB | : | 4.1.2.8 | ||
HIC++ | : | 15.1 | ||
HIS | : | 109 | ||
JSF++ AV | : | 153 | ||
LMTCP | : | 282, 283 | ||
MISRA-AC | : | 18.4 | ||
MISRA-C++:2008 | : | 9-5-1 | ||
MISRA-C:1998 | : | 109, 110 | ||
MISRA-C:2004 | : | 18.4 | ||
SEC-C | : | M1.6.2 |
This standard is not applicable to java.
In an attempt to enforce a clear design, some authorities believe that included files should only occur at the beginning of a file before any executable code. This standard reports any instances of include files after executable code.
/******************************************************* * Standard 75 S : Executable code before an included file. *******************************************************/ void static_75(void) { #include "c_standards.h" /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 2.1.5 | ||
DERA | : | 87 | ||
GJB | : | 4.2.1.5 | ||
HIS | : | 87 | ||
LMTCP | : | 39 | ||
MISRA-AC | : | 19.1 | ||
MISRA-C++:2008 | : | 16-0-1 | ||
MISRA-C:1998 | : | 87 | ||
MISRA-C:2004 | : | 19.1 | ||
NETRINO | : | 4.3.b |
This standard is not applicable to java.
Due to poor definition in the language it is dangerous to use more than one of these operators or indeed both in the same macro.
#include "c_standards.h" /******************************************************* * Standard 76 S : More than one of # or ## in a macro. ********************************************************/ #define SetVariable( Variable, Value ) (dummy( ##Variable, #Value )) void dummy(UCHAR *p_1, UCHAR *p_2) { /* ... */ } void static_76(void) { UCHAR NewString[128]; UINT_32 value = 10; SetVariable(NewString, value ); /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
CMSE | : | 1.1.11 | ||
CWE | : | 758 | ||
DERA | : | 98 | ||
GJB | : | 4.1.1.11 | ||
HIS | : | 98 | ||
LMTCP | : | 41 | ||
MISRA-AC | : | 19.12 | ||
MISRA-C++:2008 | : | 16-3-1 | ||
MISRA-C:1998 | : | 98 | ||
MISRA-C:2004 | : | 19.12 |
This standard is not applicable to java.
Some authorities believe that the body of a function like (one with parameters) macro should be enclosed in brackets.
#include "c_standards.h" #define getrandom(max) rand() % ( (max) + 1) /******************************************************** * Standard 77 S : Macro is not function like. ********************************************************/ void static_77(void) { UINT_32 test; test = (getrandom(100)); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
CAST | : | 5.1.14 | ||
CERT-C | : | PRE02-C | ||
CMSE | : | 1.1.12 | ||
DERA | : | 96 | ||
EADS-C | : | 92 | ||
GJB | : | 4.1.1.12 | ||
HIC++ | : | 14.14 | ||
HIS | : | 96 | ||
JSF++ AV | : | 29 | ||
LMTCP | : | 35 | ||
MISRA-C:1998 | : | 96 | ||
NETRINO | : | 6.3.b |
This standard is not applicable to java.
Some authorities believe that the use of parameters in the macro body should be enclosed in brackets.
For example:
#define abs(x) (((x) >= 0) ? (x) : -(x)) /*Correct */ #define abs(x) x >= 0 ? x : -x /*Incorrect */
In the incorrect second sample, the problem manifests itself when the following call is made
z=abs(a-b)
which becomes:
z= a - b >= 0 ? a - b : -a - b;
where the last expression -a - b is equivalent to (-a) - b and not - (a - b), as expected.
#include "c_standards.h" /******************************************************** * Standard 78 S : Macro parameters not in brackets ********************************************************/ #define multiple(a1, a2) ( (al)*a2) void test_78(void) { SINT_32 test; SINT_32 p1=2; SINT_32 p2=5; test = (multiply(100,p1)); test = (multiply(100,p1-p2)); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
CAST | : | 5.2.5 | ||
CERT-C | : | PRE01-C, PRE02-C | ||
CMSE | : | 2.1.6 | ||
CWE | : | 735 | ||
DERA | : | 96 | ||
EADS-C | : | 92 | ||
GJB | : | 4.2.1.6 | ||
HIC++ | : | 14.14 | ||
HIS | : | 96 | ||
MISRA-AC | : | 19.10 | ||
MISRA-C++:2008 | : | 16-0-6 | ||
MISRA-C:1998 | : | 96 | ||
MISRA-C:2004 | : | 19.10 | ||
NETRINO | : | 6.3.b | ||
SEC-C | : | M4.7.1 |
This standard is not applicable to java.
Some authorities believe that macros should only be used for symbolic constants, function-like macros, type qualifiers and storage class specifiers. Statement keywords and type keywords are not permitted.
This standard can be relaxed to allow the use of >> and << in macro statements by configuring the modifier 298 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" #define t void /******************************************************** * Standard 79 S : Macro contains unacceptable items ********************************************************/ t static_79(t) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.1.15 | ||
CERT-C | : | PRE03-C | ||
CMSE | : | 1.1.13 | ||
DERA | : | 90 | ||
EADS-C++ | : | 49 | ||
GJB | : | 4.1.1.13 | ||
HIC++ | : | 14.15 | ||
HIS | : | 90 | ||
LMTCP | : | 35 | ||
MISRA-AC | : | 19.4 | ||
MISRA-C++:2008 | : | 16-2-2 | ||
MISRA-C:1998 | : | 90 | ||
MISRA-C:2004 | : | 19.4 | ||
SEC-C | : | M1.8.2 |
This standard is not applicable to java.
The use of pointers is difficult to control, so levels of indirection greater than two are considered very dangerous. Pointers to Pointers are acceptable.
#include "c_standards.h" /******************************************************** * Standard 80 S : Pointer indirection exceeds 2 levels. ********************************************************/ void static_80(void) { UINT_32 array[10] = {0}; UINT_32 * p1_ptr, **p2_ptr; UINT_32 *** p3_ptr; UINT_32 w; p1_ptr = array; p2_ptr = &p1_ptr; p3_ptr = &p2_ptr; w = ***p3_ptr; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.4.2 | ||
CMSE | : | 4.1.2 | ||
DERA | : | 102 | ||
GJB | : | 4.4.1.2 | ||
HIS | : | 102 | ||
JPL | : | 9 | ||
JSF++ AV | : | 169, 170 | ||
LMTCP | : | 313, 314 | ||
MISRA-AC | : | 17.5 | ||
MISRA-C++:2008 | : | 5-0-19 | ||
MISRA-C:1998 | : | 102 | ||
MISRA-C:2004 | : | 17.5 | ||
SEC-C | : | M3.4.1 |
This standard is not applicable to java.
C as a language was designed using the standard English character set and requires #[\]^{|}~ characters. Certain platforms or regions do not feature these required characters or symbols, and so trigraphs are allowed to represent these missing characters. Some authorities believe that the use of trigraphs is dangerous, so this standard reports any trigraph detected.
#include "c_standards.h" /******************************************************* * Standard 81 S : Use of trigraphs. *******************************************************/ void static_81(void) ??< /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Before * Source Code & Violations Yes Before * Reformatted Code Yes Before * Individual Quality Report Yes * */
CERT-C | : | PRE07-C | ||
CMSE | : | 8.1.2 | ||
CWE | : | 735 | ||
DERA | : | 7 | ||
EADS-C++ | : | 52 | ||
GJB | : | 4.8.1.2 | ||
HIC++ | : | 14.18 | ||
HIS | : | 7 | ||
JSF++ AV | : | 11 | ||
LMTCP | : | 12 | ||
MISRA-AC | : | 4.2 | ||
MISRA-C++:2008 | : | 2-3-1 | ||
MISRA-C:1998 | : | 7 | ||
MISRA-C:2004 | : | 4.2 | ||
SEC-C | : | M1.8.4 |
This standard is not applicable to java.
Some authorities believe that the use of wide string literals is dangerous.
#include "c_standards.h" /******************************************************* * Standard 82 S : Use of wide string literal. *******************************************************/ void static_82(void) { wchar_t WideChar = L'1'; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
Since octal numbers, which start with a leading zero, can be confused for decimal numbers with a leading zero they are considered to be dangerous.
For Example:
code[1] = 109 /* set to decimal 109 */ code[2] = 100 /* set to decimal 100 */ code[3] = 052 /* incorrect - set to decimal 42 */ code[4] = 071 /* incorrect - set to decimal 57 */
#include "c_standards.h" /******************************************************* * Standard 83 S : Octal number found. *******************************************************/ void static_83(void) { UINT_32 i; i = (UINT_32) 076; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * */
CAST | : | 5.8.5 | ||
CMSE | : | 8.1.3 | ||
DERA | : | 19 | ||
GJB | : | 4.8.1.3 | ||
HIS | : | 19 | ||
JSF++ AV | : | 149 | ||
LMTCP | : | 270 | ||
MISRA-AC | : | 7.1 | ||
MISRA-C++:2008 | : | 2-13-2 | ||
MISRA-C:1998 | : | 19 | ||
MISRA-C:2004 | : | 7.1 | ||
SEC-C | : | M1.8.5 |
The register storage-class specifier is a request, not an imperative, to the compiler to allocate the fastest possible access mechanism for the object specified. Its use also places restrictions upon the use of the variable or object specified. It is not possible, for example, to compute the address of any register variable, regardless of what decisions the compiler made.
#include "c_standards.h" /******************************************************** * Standard 84 S : Register variable declared. ********************************************************/ void static_84(void) { register SINT_32 ri = 0; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.8.7 | ||
CMSE | : | 8.2.6 | ||
DERA | : | 28 | ||
GJB | : | 4.8.2.7 | ||
HIC++ | : | 8.3.3 | ||
JSF++ AV | : | 140 | ||
LMTCP | : | 255 | ||
MISRA-C:1998 | : | 28 | ||
NETRINO | : | 1.7.b |
This standard is not applicable to java.
Enumerator types can be explicitly initialised, but only two forms of initialisation are safe. One is to initialise all the entries and the other is to initialise only the first. An enum without initialisation is safe.
This standard can be further restricted to prohibit enums with no explicit initialisation by configuring the modifier 377 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
For Example:
enum (x,y,z) /*GOOD (unless type 377 is set) - no explicit initialisation*/ enum (x=1,y,z) /*GOOD - first value only*/ enum (x=2,y=3,z=4) /*GOOD - all values set*/ enum (x,y,z=1) /*BAD*/
#include "c_standards.h" /******************************************************** * Standard 85 S : Incomplete initialisation of enumerator. ********************************************************/ void static_85(void) { enum E_type { num1, num2 = 2, num3}; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.13.1 | ||
CERT-C | : | INT09-C | ||
CMSE | : | 13.1.1 | ||
DERA | : | 32 | ||
EADS-C | : | 81 | ||
EADS-C++ | : | 55 | ||
GJB | : | 4.13.1.1 | ||
HIS | : | 32 | ||
JSF++ AV | : | 145 | ||
LMTCP | : | 260 | ||
MISRA-AC | : | 9.3 | ||
MISRA-C++:2008 | : | 8-5-3 | ||
MISRA-C:1998 | : | 32 | ||
MISRA-C:2004 | : | 9.3 | ||
SEC-C | : | R1.2.2 |
The macro pre-processor can redefine reserved words which can lead to confusion.
#include "c_standards.h" /******************************************************** * Standard 86 S : Attempt to define reserved word. ********************************************************/ #define FILE UINT_32 void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.1.16 | ||
CERT-C | : | ERR31-C | ||
CMSE | : | 1.1.14 | ||
CWE | : | 746 | ||
DERA | : | 114 | ||
GJB | : | 4.1.1.14 | ||
HIS | : | 114 | ||
LMTCP | : | 92 | ||
MISRA-AC | : | 20.1 | ||
MISRA-C++:2008 | : | 17-0-1 | ||
MISRA-C:1998 | : | 114 | ||
MISRA-C:2004 | : | 20.1 |
This standard is not applicable to java.
Performing arithmetic on pointers is considered to be an unsafe activity since there is no guarantee that the result is a valid address.
#include "c_standards.h" /******************************************************** * Standard 87 S : Use of pointer arithmetic. ********************************************************/ void static_87(void) { UINT_32 w; UINT_32 array[5]; UINT_32 * p1_ptr; p1_ptr = array; w = *(p1_ptr + 8); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.4.5 | ||
CMSE | : | 4.2.2 | ||
DERA | : | 101, 104 | ||
GJB | : | 4.4.2.2 | ||
HIS | : | 101, 104 | ||
JSF++ AV | : | 215 | Modifiers : 266 = 1 | |
LMTCP | : | 315, 400 | ||
MISRA-C:1998 | : | 101, 104 | ||
SEC-C | : | R1.3.1 |
This standard is not applicable to java.
This standard is designed to ensure that all code inserts are pure procedures with a defined interface.
#include "c_standards.h" /******************************************************* * Standard 88 S : Procedure is not pure assembler. *******************************************************/ void static_88(void) { UINT_32 x; x=0; _asm { mov eax,x } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
CAST | : | 5.2.6 | ||
CMSE | : | 2.1.7 | ||
DERA | : | 3 | ||
GJB | : | 4.2.1.7 | ||
HIC++ | : | 13.5 | ||
LMTCP | : | 17 | ||
MISRA-AC | : | 2.1 | ||
MISRA-C++:2008 | : | 7-4-3 | ||
MISRA-C:1998 | : | 3 | ||
MISRA-C:2004 | : | 2.1 | ||
NETRINO | : | 1.1.c | ||
SEC-C | : | P2.1.1 |
This standard is not applicable to java.
It is rarely known that chars can be implemented as either a signed or unsigned type, therefore programmers should be explicit.
/******************************************************** * Standard 89 S : char type not signed or unsigned ********************************************************/ typedef char CHAR; void static_89(void) { CHAR c = 'c'; /* ... */ } /* * Copyright (c) 2007 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This is designed to make code portable between compilers where the sizes of the basic types can vary dramatically. Therefore the use of the basic types is banned except in typedefs. An example of a number of definitions follow:
typedef char CHAR; typedef unsigned char UCHAR; typedef unsigned short UINT_16; typedef unsigned int UINT_32; typedef signed char SCHAR; typedef signed short SINT_16; typedef signed int SINT_32; typedef float FLOAT_32; typedef double FLOAT_64; typedef enum { FALSE = 0, TRUE = 1} BOOL;
This standard can be relaxed to allow the plain char basic type to be used by configuring the modifier 219 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
/******************************************************** * Standard 90 S : Basic type declaration used. ********************************************************/ unsigned int static_90 (void) { char CHAR; unsigned char UCHAR; unsigned int UINT_32; unsigned short UINT_16; int SINT_32; float FLOAT_32; double FLOAT_64; signed char SCHAR; /* ... */ return UINT_32; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.1.19 | ||
DERA | : | 13 | ||
EADS-C | : | 84 | ||
GJB | : | 4.1.2.1 | ||
HIC++ | : | 8.4.6, 13.6 | ||
HIS | : | 13 | ||
JSF++ AV | : | 209 | Modifiers : 219 = 1 | |
LMTCP | : | 393 | Modifiers : 219 = 1 | |
MISRA-AC | : | 6.3 | ||
MISRA-C++:2008 | : | 3-9-2 | ||
MISRA-C:1998 | : | 13 | ||
MISRA-C:2004 | : | 6.3 | ||
NETRINO | : | 5.2.a | ||
SEC-C | : | P2.1.3 |
This standard is not applicable to java.
The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. This standard increases readability by enforcing unique names. This standard is restricted to LDRA Testbed installations featuring the MISRA component, as indicated by (MR).
#include "c_standards.h" /******************************************************** * Standard 91 S : Name redeclared in another namespace. ********************************************************/ UINT_32 static_91 (void); struct static_91 { UINT_32 static_91; UINT_32 u_1; }; UINT_32 static_91 (void) { UINT_32 var_1; static_91: var_1 = 1; return (var_1); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.1.11 | ||
CMSE | : | 1.1.16 | ||
DERA | : | 12 | ||
EADS-C | : | 53 | ||
GJB | : | 4.1.1.16 | ||
MISRA-AC | : | 5.2, 5.6, 5.7 | ||
MISRA-C:1998 | : | 12 | ||
MISRA-C:2004 | : | 5.2, 5.6, 5.7 | ||
SEC-C | : | M1.7.1 |
This standard is not applicable to java.
The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. This standard reports where a field in an enumeration is the same as another name.
#include "c_standards.h" UINT_32 duplicate = 0; /******************************************************** * Standard 92 S : Duplicate use of a name in an enumeration. ********************************************************/ void static_92 (void) { enum Name_type { e1, duplicate } EnumVar; EnumVar = e1; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.15.1 | ||
CMSE | : | 15.1.1 | ||
DERA | : | 12 | ||
GJB | : | 4.15.1.1 | ||
LMTCP | : | 248 | ||
MISRA-AC | : | 5.2, 5.7 | ||
MISRA-C:1998 | : | 12 | ||
MISRA-C:2004 | : | 5.2, 5.7 | ||
SEC-C | : | M1.7.1 |
This is used to enforce strict type checking. Mixed use of types must be accompanied by an explicit cast.
This standard includes a check that array indexing is performed using unsigned integers. The array indexing check is switched off when using the MISRA-C:2004 model, but can be enabled by configuring the modifier 372 in the creport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 93 S : Value is not of appropriate type. ********************************************************/ void STATIC_93(void) { FLOAT_32 fl; fl = 2.0; /* Requires explicit assignment of 2.0F */ /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.6.16 | ||
CERT-C | : | INT01-C, INT02-C, INT07-C, INT31-C | ||
CMSE | : | 6.1.8 | ||
CWE | : | 192, 197, 758 | Modifiers : 191 = 1 | |
DERA | : | 18, 48 | ||
GJB | : | 4.6.1.8 | ||
HIS | : | 18, 48 | ||
MISRA-AC | : | 6.1, 6.2, 10.1, 10.2, 10.3, 10.4 | ||
MISRA-C:1998 | : | 18, 48 | ||
MISRA-C:2004 | : | 6.1, 6.2, 10.1, 10.2, 10.3, 10.4 | ||
NETRINO | : | 5.2.c, 5.3.c, 5.4.b | ||
SEC-C | : | M1.2.2 |
This standard is not applicable to c++ and java.
Casting pointers to other types can be dangerous.
#include "c_standards.h" /******************************************************** * Standard 94 S : Casting operation on a pointer. ********************************************************/ void static_94(UINT_32 * p1_ptr) { UINT_16 v_1; v_1 = (UINT_16 ) p1_ptr; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | EXP11-C, EXP36-C, INT11-C | ||
CMSE | : | 12.1.1 | ||
DERA | : | 45 | ||
EADS-C++ | : | 15, 16 | ||
GJB | : | 4.12.1.1 | ||
HIC++ | : | 7.5, 7.7, 13.7 | ||
HIS | : | 45 | ||
JSF++ AV | : | 182 | ||
LMTCP | : | 328 | ||
MISRA-AC | : | 11.1, 11.2, 11.4 | ||
MISRA-C++:2008 | : | 5-2-6 | ||
MISRA-C:1998 | : | 45 | ||
MISRA-C:2004 | : | 11.1, 11.2, 11.4 | ||
SEC-C | : | R2.7.1 |
This standard is not applicable to java.
Generating a pointer other than by taking an address is considered dangerous.
This standard can be relaxed to allow casts from void* by configuring the modifier 381 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 95 S : Casting operation to a pointer. ********************************************************/ struct Astruct { UINT_32 a; }; void static_95 (UINT_32 *intptr) { struct Astruct *Astructptr; Astructptr = (struct Astruct *) intptr; /* not compliant */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.12.1 | ||
CERT-C | : | EXP11-C | ||
CMSE | : | 12.2.1 | ||
DERA | : | 45 | ||
EADS-C++ | : | 28 | ||
GJB | : | 4.12.2.1 | ||
HIC++ | : | 7.5 | ||
HIS | : | 45 | ||
JSF++ AV | : | 182 | Modifiers : 381 = 1 | |
LMTCP | : | 328, 331 | ||
MISRA-AC | : | 11.1, 11.4 | ||
MISRA-C++:2008 | : | 5-2-6 | ||
MISRA-C:1998 | : | 45 | ||
MISRA-C:2004 | : | 11.1, 11.4 | ||
SEC-C | : | R2.7.1 |
This standard is not applicable to java.
In general the programmer should show that they appreciate that they are using mixed mode arithmetic by using explicit casts. This penalty is reported whenever LDRA Testbed detects a potential loss of precision, either within an intermediate result (and hence implementation-defined) or an assignment across types. For example, the intermediate result of a division between two integers is a fractional number (which LDRA Testbed deems to be a float), and not the type of the lvalue.
int x=2, y=3; float z=0; z=y/x; /*This is incorrect*/ z=(float) y / (float) x; /*This is correct*/
#include "c_standards.h" /******************************************************** * Standard 96 S : Use of mixed mode arithmetic. ********************************************************/ void static_96(void) { SINT_32 sx = -10; UINT_16 usi = 1; UINT_32 ui = 2u; FLOAT_32 fl = 2.0F; FLOAT_64 dbl = 3.0; ui = sx + 2u; usi = ui + 1u; fl = dbl; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CERT-C | : | INT02-C | ||
CMSE | : | 6.2.3 | ||
CWE | : | 192, 197 | ||
DERA | : | 43, 48 | ||
EADS-C++ | : | 29 | ||
GJB | : | 4.6.2.3 | ||
HIC++ | : | 7.6, 10.13, 10.14 | Modifiers : 267 = 1 | |
HIS | : | 43, 48 | Modifiers : 267 = 1 | |
JSF++ AV | : | 162, 180, 184 | Modifiers : 267 = 1 | |
LMTCP | : | 292, 325, 398 | Modifiers : 267 = 1 | |
MISRA-AC | : | 6.2, 10.1, 10.2, 12.1, 12.6 | ||
MISRA-C++:2008 | : | 5-0-12 | ||
MISRA-C:1998 | : | 43, 48 | Modifiers : 267 = 1 | |
MISRA-C:2004 | : | 6.2, 10.1, 10.2, 12.1, 12.6 | ||
NETRINO | : | 1.4.a, 5.3.c, 5.4.b | ||
SEC-C | : | P1.3.1 |
This standard is not applicable to java.
Using casts where the conversion is meaningless often indicates that programmers don't know what they are doing and removing them also improves efficiency.
#include "c_standards.h" /******************************************************** * Standard 97 S : Use of redundant cast. ********************************************************/ void static_97(void) { SINT_32 sx,sy = -10; sx = (SINT_32) sy + 1; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CMSE | : | 12.2.2 | ||
DERA | : | 44, 48 | ||
GJB | : | 4.12.2.2 | ||
HIS | : | 48 | ||
JSF++ AV | : | 181 | ||
LMTCP | : | 327 | ||
MISRA-C:1998 | : | 44, 48 |
The formal parameters are derived from either the definition or the prototype, the actual parameters are those that are present in the call to the procedure. This continues the theme of rigorous type checking across procedure boundaries. To be precise, actual and formal parameters must be compatible, and not necessarily identical. However the rules regarding compatibility are restrictive and do not extend to distinct types deemed safe for conversion, e.g. between pointer to void and some other pointer type. Examples of compatible type pairs are:
signed int, int
unsigned short int, unsigned short
This standard is restricted to LDRA Testbed installations featuring the MISRA component, as indicated by (MR).
#include "c_standards.h" void foo( UINT_16 p_1, UINT_16 p_2 ) { /* ... */ } /******************************************************** * Standard 98 S : Actual and formal parameters inconsistent. ********************************************************/ void static_98(UINT_32 p_1, UINT_16 p_2) { foo( p_1, p_2); /* ... */ }
CAST | : | 5.7.6 | ||
CERT-C | : | EXP37-C | ||
CMSE | : | 7.1.9 | ||
CWE | : | 685 | ||
DERA | : | 105 | ||
GJB | : | 4.7.1.9 | ||
HIS | : | 105 | ||
MISRA-C:1998 | : | 105 |
This standard is not applicable to c++ and java.
It is possible to use a procedure identifier in expressions which do not lead either to a call or an assignment of the address of the function.
#include "c_standards.h" BOOL test_99(void) { BOOL retval= TRUE; /* ... */ return retval; } /******************************************************** * Standard 99 S : Function use is not a call. ********************************************************/ void static_99(void) { if ( test_99 ) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.7.7 | ||
CERT-C | : | MSC02-C | ||
CMSE | : | 7.2.2 | ||
CWE | : | 480 | ||
DERA | : | 85 | ||
GJB | : | 4.7.2.2 | ||
HIS | : | 85 | ||
LMTCP | : | 235 | ||
MISRA-AC | : | 16.9 | ||
MISRA-C++:2008 | : | 8-4-4 | ||
MISRA-C:1998 | : | 85 | ||
MISRA-C:2004 | : | 16.9 | ||
SEC-C | : | M1.5.1 |
This standard is not applicable to java.
This standard bans the use of the characters ' \ /* in include file names. For users of the PC the \ is essential so the characters ' and \ are configurable using the modifier 100 in the c/cppvals.dat file. Instructions for making alterations can be found in the manual.
/***************************************************** * Standard 100 S : #include filename is non conformant. *****************************************************/ #include <\ctype.h> void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CMSE | : | 2.1.8 | ||
CWE | : | 758 | ||
DERA | : | 88, 89 | ||
GJB | : | 4.2.1.8 | ||
HIS | : | 88, 89 | ||
JSF++ AV | : | 53.1 | ||
LMTCP | : | 40, 77, 202 | ||
MISRA-AC | : | 19.2 | ||
MISRA-C++:2008 | : | 16-2-4, 16-2-5 | ||
MISRA-C:1998 | : | 88, 89 | ||
MISRA-C:2004 | : | 19.2 | ||
SEC-C | : | P1.4.1 |
This standard is not applicable to java.
LDRA Testbed enforces strong type checking. This standard reports when the type returned by a return statement is not consistent with the function declaration.
It is possible to switch off the check for the return statement of main by configuring the modifier 374 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 101 S : Function return type inconsistent. ********************************************************/ UINT_32 static_101( UINT_32 par_1) { switch (par_1) { case 0: return (-1); break; case 1: return (1U); break; case 2: return (1L); break; case 3: return (1.0f); break; default: break; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.9.4 | ||
CERT-C | : | INT02-C | ||
CMSE | : | 9.1.4 | ||
CWE | : | 192, 197 | ||
DERA | : | 83 | ||
GJB | : | 4.9.1.4 | ||
HIC++ | : | 5.10 | ||
HIS | : | 83 | ||
LMTCP | : | 325 | ||
MISRA-AC | : | 10.1, 10.2 | ||
MISRA-C:1998 | : | 83 | ||
MISRA-C:2004 | : | 10.1, 10.2 | ||
NETRINO | : | 5.3.c, 5.4.b |
There is a difference between the function prototype and definition return types. This continues the theme of rigorous type checking across procedure boundaries. This standard is restricted to LDRA Testbed installations featuring the MISRA component, as indicated by (MR).
#include "c_standards.h" UINT_32 static_102(UINT_32 p_1, UINT_16 p_2); /******************************************************** * Standard 102 S : Function and prototype return inconsistent. ********************************************************/ SINT_32 static_102(UINT_32 p_1, UINT_16 p_2) { SINT_32 result = 0; /* ... */ return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
CAST | : | 5.9.5 | ||
CMSE | : | 1.1.25, 9.1.5 | ||
DERA | : | 26, 72 | ||
GJB | : | 4.9.1.5, 5.1.14 | ||
HIS | : | 26, 72 | ||
LMTCP | : | 231 | ||
MISRA-AC | : | 8.3 | ||
MISRA-C++:2008 | : | 3-9-1 | ||
MISRA-C:1998 | : | 26, 72 | ||
MISRA-C:2004 | : | 8.3 | ||
NETRINO | : | 4.3.c |
This standard is not applicable to java.
There is a difference between the function prototype and definition parameter types. This standard is restricted to LDRA Testbed installations featuring the MISRA component, as indicated by (MR).
#include "c_standards.h" BOOL static_103(FLOAT_32 up_1); /*************************************************************** * Standard 103 S : Function and prototype param inconsistent. ***************************************************************/ BOOL static_103(UINT_32 up_1) { BOOL ret = FALSE; /* ... */ return ret; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.7.5, 5.16.6 | ||
CMSE | : | 7.1.10 | ||
DERA | : | 26, 72 | ||
GJB | : | 4.7.1.10 | ||
HIC++ | : | 11.3 | ||
HIS | : | 26, 72 | ||
LMTCP | : | 231 | ||
MISRA-AC | : | 8.3 | ||
MISRA-C++:2008 | : | 3-9-1 | ||
MISRA-C:1998 | : | 26, 72 | ||
MISRA-C:2004 | : | 8.3 | ||
NETRINO | : | 4.3.c |
This standard is not applicable to java.
Consistent with strong typing there is an inconsistency between a structure definition and its initialisation.
#include "c_standards.h" struct s_type_a { SINT_32 xs; FLOAT_32 fs;}; /******************************************************** * Standard 104 S : Struct field initialisation incorrect. ********************************************************/ void static_104(void) { struct s_type_a sta = {3.14F, 0.0f}; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
Brace faults are generated if the initialisation does not contain the same brace structure as the nesting of the definition.
#include "c_standards.h" struct pixel{ UINT_32 colour; struct {UINT_32 x, y;} coords ;}; /******************************************************** * Standard 105 S : Struct field initialisation brace fault. ********************************************************/ void static_105(void) { UINT_32 xs=0; UINT_32 ys=0; struct pixel spot = {1u, xs, ys }; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.13.3 | ||
CMSE | : | 13.1.3 | ||
CWE | : | 758 | ||
DERA | : | 31 | ||
GJB | : | 4.13.1.3 | ||
HIS | : | 31 | ||
JSF++ AV | : | 144 | ||
LMTCP | : | 259 | ||
MISRA-AC | : | 9.2 | ||
MISRA-C++:2008 | : | 8-5-2 | ||
MISRA-C:1998 | : | 31 | ||
MISRA-C:2004 | : | 9.2 | ||
SEC-C | : | M2.1.1, R1.2.1 |
This standard is not applicable to java.
The value of volatile variables can change outside of the control of the application. This standard allows all such declarations to be monitored. The cross reference report gives all the uses of variables identified by this standard.
#include "c_standards.h" /***************************************************** * Standard 106 S : Volatile declaration *****************************************************/ void static_106(void) { volatile UINT_32 v = 1U; UINT_32 x=0; x = v; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard performs strong type checking for the two alternatives of a ternary expression.
#include "c_standards.h" /******************************************************* * Standard 107 S : Type Mismatch in ternary Expression. ********************************************************/ void static_107(void) { BOOL flag= FALSE; UINT_32 x = 0; UCHAR l = 'A'; FLOAT_32 z = 1.1F; x = (flag ? l : z); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard reports strong typing mismatches between the result of an expression and the type of the value.
#include "c_standards.h" /******************************************************** * Standard 108 S : Assignment types do not match. ********************************************************/ void static_108(void) { FLOAT_32 fl = 2.0F; FLOAT_64 dbl = 3.0; fl = dbl; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
All array indices should be positive whole numbers.
#include "c_standards.h" #define ArraySize 3.0F /******************************************************** * Standard 109 S : Array subscript is not integral. ********************************************************/ void static_109(void) { UINT_32 fl_arr[ (UINT_32) ArraySize ] = {0,1,2}; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
The single line comment is not available in all compilers and should not be used.
#include "c_standards.h" /******************************************************** * Standard 110 S : Use of single line comment ********************************************************/ void static_110(void) { // This is a single line comment /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
The only use of labels which can be said to be safe is in a switch statement. This standard is restricted to LDRA Testbed installations featuring the MISRA component, as indicated by (MR).
#include "c_standards.h" /******************************************************** * Standard 111 S : Label is not part of switch statement. ********************************************************/ void static_111(void) { SINT_32 jump_flag = 0; start: jump_flag++; if (jump_flag <10) { goto start; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
Changing the type of a user-defined type is at best confusing and at worse dangerous.
#include "c_standards.h" typedef SINT_32 mytype; /******************************************************** * Standard 112 S : Typedef name redeclared.(Different basic type) ********************************************************/ void static_112(void) { typedef FLOAT_32 mytype; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.1.12 | ||
CMSE | : | 1.1.17 | ||
DERA | : | 17 | ||
GJB | : | 4.1.1.17 | ||
HIS | : | 17 | ||
LMTCP | : | 89 | ||
MISRA-AC | : | 5.3, 5.6 | ||
MISRA-C++:2008 | : | 2-10-3 | ||
MISRA-C:1998 | : | 17 | ||
MISRA-C:2004 | : | 5.3, 5.6 |
This standard is not applicable to java.
This is reported whenever a character is found in the source file which is not defined in the character set section of the c/cppvals.dat file. It is primarily used to detect those characters not defined in the ANSI C standard.
3***** The lines of permissible characters,(80A1),those NOT changed ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz ()[].!~+-*/%<>=& ^|?:;,0123456789_{}'"#\$@<space><tab>
#include "c_standards.h" /******************************************************* * Standard 113 S : Non standard character in source. *******************************************************/ void static_113(void) { UCHAR non_std_char = 'ù'; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | MSC09-C | ||
CMSE | : | 15.2.1 | ||
CWE | : | 747 | ||
DERA | : | 5 | ||
GJB | : | 4.15.2.1 | ||
HIS | : | 5 | ||
JSF++ AV | : | 9 | ||
LMTCP | : | 9, 16 | ||
MISRA-AC | : | 1.2 | ||
MISRA-C:1998 | : | 5 | ||
MISRA-C:2004 | : | 1.2 |
This standard reports integer expressions which are used in boolean contexts. The C LDRA Testbed treats expression with Boolean operators as Boolean expressions. If the compiler has Boolean types then strong typing is applied. When the compiler does not have a boolean type the use of bool or BOOL to declare variables will be treated by the C LDRA Testbed as a declaration of a Boolean type. The user will of course have to use a typedef: typedef int BOOL; in their code. Users wishing to use another name will need to put that same name in the cvals.dat file. Users should copy the cvals.dat settings for BOOLEAN for their replacement name. Instructions for making alterations can be found in the manual.
#include "c_standards.h" /***************************************************** * Standard 114 S : Expression is not Boolean. *****************************************************/ void static_114(void) { UINT_32 x = 0; if (x) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.14.3 | ||
CMSE | : | 6.1.23, 14.1.2 | ||
DERA | : | 35, 36, 49 | ||
GJB | : | 4.14.1.2, 5.1.12 | ||
HIC++ | : | 5.2 | ||
HIS | : | 35, 36 | ||
LMTCP | : | 299, 307, 360 | ||
MISRA-AC | : | 12.6, 13.2 | ||
MISRA-C++:2008 | : | 5-0-13, 5-0-14, 5-3-1 | ||
MISRA-C:1998 | : | 35, 36, 49 | ||
MISRA-C:2004 | : | 12.6, 13.2 | ||
SEC-C | : | M1.5.2, M3.3.3 |
This standard is not applicable to java.
This standard only permits strings over line boundaries if they are terminated by a backslash.
#include "c_standards.h" /******************************************************* * Standard 115 S : String incorrectly terminated. *******************************************************/ void static_115(void) { UCHAR* str = "string\ literal"; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
C uses the value zero (0) for Boolean FALSE, and all non-zero values are equivalent to Boolean TRUE. It is safer to compare against the one known value, FALSE, than to perform a comparison against a single value of the entire set that represents TRUE. This standard reports instances in a Boolean context where a variable is compared for equality with unity (1).
#include "c_standards.h" /******************************************************** * Standard 116 S : Boolean comparison with 0 preferred. ********************************************************/ void static_116 (void) { UINT_32 x = 2u; if ( x == 1u ) { /* ... */ ; } if ( x != 1u ) { /* ... */ ; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This is to tighten up the use of Boolean expressions.
#include "c_standards.h" /***************************************************** * Standard 117 S : Logical negation of constant value. *****************************************************/ void static_117(void) { BOOL flag = FALSE; if (flag == (BOOL)!1) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This ensures that error conditions can be propagated and that parameters can be input.
#include "c_standards.h" /******************************************************* * Standard 118 S : Main must be int (void) or int (int,char*[]). *******************************************************/ void main(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
This standard is not applicable to java.
While the C standard clearly states that comments do not nest, certain compilers allow nested comments, without warning. This is dangerous, as the compiler will terminate the comment at the first termination sequence (*/) encountered, potentially regarding all remaining parts of the comment as legal code. It would be safer to enclose the required section within #if 0 ... #endif markers.
#include "c_standards.h" /******************************************************* * Standard 119 S : Nested comment found *******************************************************/ void static_119(void) { /* This is the Outer Comment /* This is the Inner Comment */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Before * Source Code & Violations Yes Before * Reformatted Code Yes Before * Individual Quality Report Yes * */
CAST | : | 5.10.1 | ||
CERT-C | : | MSC04-C | ||
CMSE | : | 10.1.1 | ||
CWE | : | 747 | ||
DERA | : | 9 | ||
GJB | : | 4.10.1.1 | ||
HIS | : | 9 | ||
LMTCP | : | 246 | ||
MISRA-AC | : | 2.3 | ||
MISRA-C++:2008 | : | 2-7-1 | ||
MISRA-C:1998 | : | 9 | ||
MISRA-C:2004 | : | 2.3 | ||
NETRINO | : | 2.1.b |
The handling of signed types with bitwise operators is unsafe, for example, and (&) or or (|), as the results are implementation specific. The sign may be lost, or shifted into the numeric part of the value.
#include "c_standards.h" /***************************************************** * Standard 120 S : Use of bit operator on signed type. *****************************************************/ void static_120(void) { SINT_32 b = 1; b = b | 1; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Control Structure Header * Source Code & Violations Yes Control Structure Header * Reformatted Code Yes Control Structure Header * Individual Quality Report Yes * */
CAST | : | 5.6.11 | ||
CERT-C | : | INT13-C | ||
CMSE | : | 6.1.12 | ||
CWE | : | 682 | ||
DERA | : | 37 | ||
GJB | : | 4.6.1.12 | ||
HIC++ | : | 10.11 | ||
HIS | : | 37 | ||
LMTCP | : | 297 | ||
MISRA-AC | : | 12.7 | ||
MISRA-C++:2008 | : | 5-0-21 | ||
MISRA-C:1998 | : | 37 | ||
MISRA-C:2004 | : | 12.7 | ||
NETRINO | : | 5.3.b |
This should be implemented as an if then else. The default clause will never be executed.
#include "c_standards.h" /******************************************************** * Standard 121 S : Use of boolean expression in switch. ********************************************************/ void static_121(void) { BOOL flag = FALSE; switch (flag) { case TRUE: break; case FALSE: break; default: break; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.14.1 | ||
CMSE | : | 14.1.3 | ||
DERA | : | 63 | ||
GJB | : | 4.14.1.3 | ||
HIS | : | 63 | ||
JSF++ AV | : | 195 | ||
LMTCP | : | 347 | ||
MISRA-AC | : | 15.4 | ||
MISRA-C++:2008 | : | 6-4-7 | ||
MISRA-C:1998 | : | 63 | ||
MISRA-C:2004 | : | 15.4 | ||
SEC-C | : | M1.3.1 |
The use of functions which terminate execution is banned. Functions which terminate execution are identified in c/cppvals.dat as type 39 codes, and can be changed as needed. Instructions for making alterations can be found in the manual.
#include "c_standards.h" #include "process.h" /******************************************************** * Standard 122 S : Use of abort, exit, etc. ********************************************************/ void static_122(BOOL flag) { if (flag) { abort(); } exit(0); } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CMSE | : | 7.2.3 | ||
DERA | : | 126 | ||
GJB | : | 4.7.2.3 | ||
HIC++ | : | 5.9 | ||
HIS | : | 126 | ||
JSF++ AV | : | 24 | ||
LMTCP | : | 28, 356 | ||
MISRA-AC | : | 20.11 | ||
MISRA-C++:2008 | : | 18-0-3 | ||
MISRA-C:1998 | : | 126 | ||
MISRA-C:2004 | : | 20.11 |
This standard enforces strong type checking. Enumerated types must be used only in comparisons with other enumerated types.
#include "c_standards.h" /******************************************************** * Standard 123 S : Use of underlying enum representation value ********************************************************/ void static_123(void) { enum E_type { Enum1, Enum2 , Enum3}; UINT_32 ui; ui = Enum1; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.12, 5.16.3 | ||
CMSE | : | 6.1.13, 15.1.7 | ||
DERA | : | 66, 67 | ||
EADS-C++ | : | 56, 57 | ||
GJB | : | 4.6.1.3, 5.1.22 | ||
HIC++ | : | 13.6, 15.3 | ||
LMTCP | : | 367 | ||
MISRA-C++:2008 | : | 4-5-2 |
The ++ and -- operators are considered dangerous, this standard detects the prefix versions. Postfix versions can be detected with 30 S.
#include "c_standards.h" /***************************************************** * Standard 124 S : Use of prefix ++ or -- *****************************************************/ void static_124(void) { SINT_32 x = 1; ++x; /* not compliant */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
DERA | : | 136 |
These operators are poorly defined and can lead to undefined results.
#include "c_standards.h" #include <STDIO.H> /******************************************************* * Standard 125 S : Use of ## or # in a macro ********************************************************/ #define cat(x) (&string[##(x)]) void static_125( UCHAR string[50], UINT_32 n) { UCHAR *token1; token1=cat(n); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
CERT-C | : | PRE05-C | ||
CMSE | : | 15.2.2 | ||
DERA | : | 157 | ||
GJB | : | 4.15.2.2 | ||
LMTCP | : | 41 | ||
MISRA-AC | : | 19.13 | ||
MISRA-C++:2008 | : | 16-3-2 | ||
MISRA-C:2004 | : | 19.13 | ||
SEC-C | : | M5.1.2 |
This standard is not applicable to java.
Preprocessor statements not should be spread over more than one file.
#include "c_standards.h" #define MISMATCHEDIF 1 /******************************************************* * Standard 126 S : A #if has no #endif in the same file. * Does not compile with VC++ ********************************************************/ #if MISMATCHEDIF == 1 void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations No * Reformatted Code Yes File * Individual Quality Report Yes Global * */
CAST | : | 5.1.13 | ||
CMSE | : | 1.1.18 | ||
DERA | : | 160 | ||
GJB | : | 4.1.1.18 | ||
LMTCP | : | 43 | ||
MISRA-AC | : | 19.17 | ||
MISRA-C++:2008 | : | 16-1-2 | ||
MISRA-C:2004 | : | 19.17 | ||
SEC-C | : | M4.7.2 |
This standard is not applicable to java.
The use of incomplete array definitions is not permitted.
The use of incomplete array declarations in function declarations can be excluded from this check by configuring the modifiers 285 or 286 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file
#include "c_standards.h" /******************************************************** * Standard 127 S : Array has no bounds specified. ********************************************************/ void static_127(void) { UINT_32 u_array[] = {0,1,2}; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.1.18 | ||
CERT-C | : | ARR02-C | ||
CMSE | : | 1.1.19 | ||
CWE | : | 665, 758 | Modifiers : 286 = 1 | |
DERA | : | 162, 166 | Modifiers : 285 = 1 | |
GJB | : | 4.1.1.19 | Modifiers : 286 = 1 | |
MISRA-AC | : | 8.12 | Modifiers : 286 = 1 | |
MISRA-C++:2008 | : | 3-1-3 | ||
MISRA-C:2004 | : | 8.12 | Modifiers : 286 = 1 |
This standard is not applicable to java.
The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. In this instance, the parameter variable would be used within the procedure, but the coder may be confused over which value or instance of the variable is active.
#include "c_standards.h" /*-- Global Declarations --*/ UINT_32 global_int = 0; /******************************************************** * Standard 128 S : Parameter has same name as global variable. ********************************************************/ void static_128(UINT_32* global_int) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
CAST | : | 5.15.3 | ||
CMSE | : | 15.1.3 | ||
DERA | : | 21, 128 | ||
GJB | : | 4.15.1.3 | ||
HIS | : | 21 | ||
LMTCP | : | 248 | ||
MISRA-AC | : | 5.2 | ||
MISRA-C++:2008 | : | 2-10-2 | ||
MISRA-C:1998 | : | 21 | ||
MISRA-C:2004 | : | 5.2 | ||
SEC-C | : | M1.7.1 |
The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. In this instance, the parameter variable name is already declared as a type or as a tag, which can be the name of a structure, a union or an enumeration.
#include "c_standards.h" typedef UINT_32 DUPLICATE; /******************************************************* * Standard 129 S : Parameter has same name as type or tag. ********************************************************/ void static_129(UINT_32 DUPLICATE) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.15.4 | ||
CMSE | : | 15.1.4 | ||
DERA | : | 12 | ||
GJB | : | 4.15.1.4 | ||
LMTCP | : | 248 | ||
MISRA-AC | : | 5.7 | ||
MISRA-C:1998 | : | 12 | ||
MISRA-C:2004 | : | 5.7 |
The use of certain libraries and functions is prohibited by some authorities. This standard prevents the use of nominated include files. The list of include file names not permitted are listed as type 260 in the c/cppvals.dat files. Instructions for making alterations can be found in the manual.
#include "c_standards.h" /******************************************************* * Standard 130 S : Included file is not permitted. ********************************************************/ #include <stdio.h> void Dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
DERA | : | 121, 123, 124, 127 | ||
EADS-C++ | : | 43 | ||
HIC++ | : | 17.1 | ||
HIS | : | 121, 123, 124, 127 | ||
JSF++ AV | : | 17, 19, 21, 22, 25 | ||
LMTCP | : | 23, 25, 26, 29, 30 | ||
MISRA-AC | : | 20.8, 20.9, 20.12 | ||
MISRA-C++:2008 | : | 18-0-1, 18-0-4, 18-0-5, 18-7-1, 27-0-1 | ||
MISRA-C:1998 | : | 121, 123, 124, 127 | ||
MISRA-C:2004 | : | 20.8, 20.9, 20.12 |
This standard is not applicable to java.
The C language allows the same names to be used in many different contexts (blocks and namespaces), which is unsafe, as it may lead to confusion as to which variant is active at the time. While block structure rules allow names to be reused in inner blocks, this standard will report any instances encountered.
#include "c_standards.h" /******************************************************** * Standard 131 S : Name reused in inner scope. ********************************************************/ void STATIC_131(UINT_32 p_1) { UINT_32 static_131; BOOL c_1 = FALSE; if (c_1) { UINT_32 static_131 = 1u; static_131 = static_131 + 1u; } static_131 = p_1; /* ... */ } /* * * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.15.2, 5.15.5 | ||
CERT-C | : | DCL01-C | ||
CERT-J | : | SCP03-J | ||
CMSE | : | 15.1.2, 15.1.5 | ||
DERA | : | 21, 128 | ||
EADS-C++ | : | 30 | ||
GJB | : | 4.15.1.2, 4.15.1.5 | ||
HIC++ | : | 8.2.1 | ||
HIS | : | 21 | ||
JPL | : | 6 | ||
JSF++ AV | : | 135, 138 | ||
LMTCP | : | 248 | ||
MISRA-AC | : | 5.2, 5.3, 5.4, 5.5 | ||
MISRA-C++:2008 | : | 2-10-2 | ||
MISRA-C:1998 | : | 21 | ||
MISRA-C:2004 | : | 5.2, 5.3, 5.4, 5.5 | ||
SEC-C | : | M1.7.1 |
The assignment operator (=) set an lvalue, whereas the equality operator (==) performs a comparison. It is possible that the assignment operator was typed in error. This is highly likely, and the operator should be the equality operator.
For Example:
if (flag=false) /*Incorrect-assignment made*/ if (flag==false) /*Correct - comparison performed*/
#include "c_standards.h" /***************************************************** * Standard 132 S : Assignment operator in boolean expression. *****************************************************/ void static_132(void) { BOOL flag = FALSE; if (flag = FALSE) /* This condition should be (flag == FALSE) */ { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.1 | ||
CERT-C | : | MSC02-C | ||
CMSE | : | 6.1.15 | ||
CWE | : | 481 | ||
DERA | : | 35 | ||
GJB | : | 4.6.1.15 | ||
HIC++ | : | 10.5, 10.6 | ||
HIS | : | 35 | ||
JSF++ AV | : | 160 | Modifiers : 247 = 1 | |
LMTCP | : | 291 | ||
MISRA-AC | : | 13.1 | ||
MISRA-C++:2008 | : | 6-2-1 | ||
MISRA-C:1998 | : | 35 | ||
MISRA-C:2004 | : | 13.1 | ||
NETRINO | : | 8.2.c, 8.6.a |
Any assignment on the right hand side of a logical and (&&) or or (||) operator is conditional on the result of the term to the left of the operator. This is considered to be bad practice.
#include "c_standards.h" /***************************************************** * Standard 133 S : Assignment operator in RHS of && or || *****************************************************/ void static_133(void) { BOOL flag = FALSE; UINT_32 y = 0, x = 0; if ( flag && ((x = y) == 0)) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.6.13 | ||
CERT-C | : | EXP02-C | ||
CMSE | : | 6.1.16 | ||
CWE | : | 768 | ||
DERA | : | 33 | ||
GJB | : | 4.6.1.16 | ||
HIC++ | : | 10.6, 10.9 | ||
HIS | : | 33 | ||
JSF++ AV | : | 157 | ||
MISRA-C:1998 | : | 33 |
The value of volatile variables can change outside of the control of the application. This standard reports any expression that uses the same volatile variable more than once. This is unsafe, as the value returned may be different at each stage of the expression evaluation. It is safer to use volatiles only in simple expressions which are unlikely to be optimised. If it is required that the same value be used in all parts of an expression, it is better to retain the current value in a local variable and use that in place of the volatile component of the expression.
For example:
volatile UINT_32 v=1U; UINT_32 x,a; x=v*v; /* this is unsafe, v could change*/ a=v; x=a*a; /* this is safe, the value of v was captured */
#include "c_standards.h" /***************************************************** * Standard 134 S : Volatile variable in complex expression. *****************************************************/ void static_134(void) { UINT_32 y = 0, x = 0,z = 1u; volatile UINT_32 v = 1U; x = (v + z) / (v * y); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | EXP10-C, EXP30-C | ||
CMSE | : | 15.1.6 | ||
CWE | : | 758 | ||
DERA | : | 46 | ||
GJB | : | 4.15.1.6 | ||
HIC++ | : | 10.3 | ||
HIS | : | 46 | ||
LMTCP | : | 362 | ||
MISRA-AC | : | 12.2 | ||
MISRA-C++:2008 | : | 5-0-1 | ||
MISRA-C:1998 | : | 46 | ||
MISRA-C:2004 | : | 12.2 | ||
SEC-C | : | R3.6.1 |
The original standard for C was devised by Kernighan and Richie (often referred to as K&R ). This allowed parameter lists to be declared using the name ONLY, with the type optionally following the declaration. It is often preferred that programmers only use the newer (ANSI) form of parameter list, even though compilers will accept K&R style declarations. This standard reports any instances encountered.
#include "c_standards.h" /******************************************************** * Standard 135 S : Parameter list is KR. ********************************************************/ void static_135( p_1, p_2) UINT_32 p_1; UINT_32 p_2; { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
This standard is not applicable to c++ and java.
A bitwise operator, for example, and (&) or or (|), has been detected within an expression which uses a boolean operator. It is highly likely that the wrong operator is being used, e.g.& instead of &&.
#include "c_standards.h" /***************************************************** * Standard 136 S : Bit operator with boolean operand. *****************************************************/ void static_136(void) { UINT_32 x = 1u; BOOL flag = FALSE; if ((flag | (x != 0)) == FALSE) { /* ... */ } }
CAST | : | 5.6.14 | ||
CMSE | : | 6.1.17 | ||
CWE | : | 480 | ||
DERA | : | 36 | ||
GJB | : | 4.6.1.17 | ||
HIC++ | : | 10.11 | ||
HIS | : | 36 | ||
MISRA-AC | : | 12.6 | ||
MISRA-C++:2008 | : | 4-5-1 | ||
MISRA-C:1998 | : | 36 | ||
MISRA-C:2004 | : | 12.6 |
A bitwise operator, for example, and (&) or or (|), has been detected within an expression featuring a boolean. It is highly likely that the wrong operator is being used, e.g. & instead of &&.
#include "c_standards.h" /***************************************************** * Standard 137 S : Bit operator acting on boolean value. *****************************************************/ void static_137(void) { UINT_32 y = 2u; BOOL flag = FALSE; flag = flag & (y == 2u); }
All bit fields should have a name. The use of anonymous bit fields could be just packing, but also could be due to an error. For example:
struct bad {UINT_32 x:1, :1; UINT_32 z:1;} struct good {UINT_32 x:1; UINT_32 y:1; UINT_32 z:1;}
This standard can be relaxed to allow anonymous bit fields of length 0 by configuring the modifier 248 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 138 S : Anonymous bit field used in structure. ********************************************************/ struct static_138 {UINT_32 x, :2;}; void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CAST | : | 5.1.23 | ||
CMSE | : | 1.2.9 | ||
DERA | : | 113 | ||
GJB | : | 4.1.2.9 | ||
HIS | : | 113 | ||
JSF++ AV | : | 156 | Modifiers : 248 = 1 | |
LMTCP | : | 285 | Modifiers : 248 = 1 | |
MISRA-C:1998 | : | 113 |
This standard is not applicable to java.
It is possible that a branch condition evaluates to a constant value. This would cause some control flow structure to be infeasible and lead to the possibility of infeasible code. E.g.
if (0) { /* NEVER EXECUTED */ } else {...};
#define defval 0 typedef enum { LANE_0 = 0, LANE_1 = 1, LANE_LAST = 3 } lane_t; extern lane_t get_lane ( void ); /******************************************************** * Standard 139 S : Construct leads to infeasible code. ********************************************************/ void static_139( void ) { lane_t lane = get_lane(); if ( (lane > LANE_0) && ( lane <= LANE_LAST)) /* not compliant - else branch never reached */ { /* ... */ } if (defval) /* not compliant - then branch never reached*/ { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CERT-C | : | MSC07-C | ||
CMSE | : | 6.2.4 | ||
CWE | : | 561, 570, 571 | ||
DERA | : | 52 | ||
GJB | : | 4.6.2.4 | ||
HIC++ | : | 5.3 | ||
HIS | : | 52 | ||
LMTCP | : | 306 | ||
MISRA-AC | : | 13.7 | ||
MISRA-C++:2008 | : | 0-1-2 | ||
MISRA-C:1998 | : | 52 | ||
MISRA-C:2004 | : | 13.7 |
Detects when a loop condition evaluates to a constant FALSE value
#include "c_standards.h" #define defval 0 /******************************************************** * Standard 140 S : Infeasible loop condition found. ********************************************************/ void static_140(void) { while (0) { /* ... */ } while( defval ) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Control Structure Header * Source Code & Violations Yes Control Structure Header * Reformatted Code Yes Control Structure Header * Individual Quality Report Yes * */
CERT-C | : | MSC07-C | ||
CMSE | : | 11.2.3 | ||
CWE | : | 561, 570, 571 | ||
DERA | : | 52 | ||
GJB | : | 4.11.2.3 | ||
HIC++ | : | 5.3 | ||
HIS | : | 52 | ||
MISRA-AC | : | 13.7 | ||
MISRA-C:1998 | : | 52 | ||
MISRA-C:2004 | : | 13.7 |
This identifies incomplete declarations of the form:
struct atagname;
A correct declaration requires a full declaration of all components of the structure.
struct atagname(UINT_32 A,UINT_32 B);
#include "c_standards.h" /******************************************************** * Standard 141 S : Incomplete Structure declaration ********************************************************/ struct static_141_s; void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This indicates that some parameters have a type and a name and others do not.
#include "c_standards.h" /******************************************************** * Standard 142 S : Parameter list declarations are inconsistent. ********************************************************/ void static_142(UINT_32 , UINT_16 p_2) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Control Structure Header * Source Code & Violations Yes Control Structure Header * Reformatted Code Yes Control Structure Header * Individual Quality Report Yes * */
This standard is not applicable to java.
Some compilers will permit the use of curly brackets "{}" in expressions. This can be very confusing to maintainers and is not portable.
#include "c_standards.h" /******************************************************** * Standard 143 S : Curly Brackets used in Expression ********************************************************/ UINT_32 static_143(UINT_32 p_1,UINT_32 p_2) { UINT_32 result; result = p_1{}; return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
Floating point numbers can introduce computational errors, loss of precision, and unexpected responses in comparison and loops. Floating point needs great care and hence its use is generally not permitted.
#include "c_standards.h" /******************************************************** * Standard 144 S : Floating Point Not Permitted ********************************************************/ FLOAT_32 static_144(FLOAT_32 p_1,FLOAT_32 p_2) { FLOAT_32 result; result = p_1 + p_2; return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
Some compilers fail to parse the expression following a #if, e.g.:
#if MACRO_NAME JUNK_NAME
The term that follows a #if should also evaluate to a boolean result, and this type of expression is suspicious.
/******************************************************** * Standard 145 S : #if has invalid expression. ********************************************************/ #define static_145 6 #if static_145 i #endif /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations Yes File * Reformatted Code Yes * Individual Quality Report Yes * */
This standard is not applicable to java.
C permits macros without parameter lists hence
#define Macro() some_macro_body
is confusing and possibly due to an error.
#define Macro some_macro_body
is more easily understood.
/******************************************************** * Standard 146 S : #define with empty parameter list. ********************************************************/ #define static_146() ("dummy()") void dummy(void); /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
This detects coding errors of the type:
#endif ;
where the semi colon is not needed.
/******************************************************** * Standard 147 S : Spurious characters after preprocessor directive ********************************************************/ #ifdef STATIC_147 typedef unsigned char UCHAR; #endif ; void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes * Source Code & Violations Yes * Reformatted Code Yes * Individual Quality Report Yes * */
This standard is not applicable to java.
In C, any declaration or definition that omits a return type will use the implementation-specific default return type. No reliance should be made on default types, so this standard reports any instances encountered
#include "c_standards.h" /******************************************************** * Standard 148 S : No return type for function/procedure. ********************************************************/ static_148(UINT_32 p1); static_148(UINT_32 p1) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Definition and Procedure Header * Source Code & Violations Yes Definition and Procedure Header * Reformatted Code Yes Definition and Procedure Header * Individual Quality Report Yes * */
This standard is not applicable to java.
Call by reference parameters are declared as pointers and these pointers are initialised by the actual parameter. However these pointer parameters can at any time be reassigned to point to any other suitable object in scope. This is a highly undesirable construct leading to possibly serious errors and unmaintainability.
#include "C_STANDARDS.H" UCHAR *STATIC_149( UCHAR *p1); void test_149(void) { UCHAR *a = "Query"; UCHAR *b; b=STATIC_149(a); } /******************************************************** * Standard 149 S : Reference parameter to procedure is reassigned. ********************************************************/ UCHAR *STATIC_149( UCHAR *p1 ) { static UCHAR *newA = "Response"; p1++; p1=p1+1; p1=newA; return p1; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
The use of type qualifiers volatile and const in a function type is undefined. These type qualifiers would normally only be applied to an lvalue.
#include "c_standards.h" volatile UINT_32 STATIC_150(void); /******************************************************** * Standard 150 S : Volatile or const used in function type. ********************************************************/ volatile UINT_32 STATIC_150(void) { volatile UINT_32 r; /* ... */ return r; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Definition and Procedure Header * Source Code & Violations Yes Definition and Procedure Header * Reformatted Code Yes Definition and Procedure Header * Individual Quality Report Yes * */
DERA | : | 147 |
This standard is not applicable to java.
Some bodies consider the use of globals to be dangerous. For example, the macro replacement could use a local definition with the same name instead of the required global variable. This standard reports any instances of a global variable wihin a macro definition encountered.
#include "C_STANDARDS.H" /******************************************************** * Standard 151 S : Use of global variable in macro definition ********************************************************/ UINT_32 globvar; #define STATIC_151 globvar /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
DERA | : | 159 |
This standard is not applicable to java.
The mixture of C and preprocessor commands is potentially dangerous.
#include "C_STANDARDS.H" /******************************************************** * Standard 152 S : Use of a comment in a macro definition. ********************************************************/ #define STATIC_152 /*STATIC_152*/ /* ... */ /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
The mixture of C and preprocessor commands is potentially dangerous.
#ifdef STATIC_153 /* A Comment */ /* ... */ #endif /* Another Comment */ /******************************************************** * Standard 153 S : Use of a comment in a pre-processor directive ********************************************************/ void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
DERA | : | 155 |
This standard is not applicable to java.
C allows header files to include further header files. Some bodies consider this unsafe, and require a flat file structure, where all include files contain only the information relevant to the file, and NO further includes. This standard will report any include files that have further includes.
#include "C_TYPES.H" /******************************************************** * Standard 154 S : Nested Header Files Found ********************************************************/ void dummy(void) { /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
The mixture of C and preprocessor commands is potentially dangerous.
#include "C_STANDARDS.H" /************************************************************** * Standard 155 S : Comments between PreProcessor directives **************************************************************/ #ifdef STATIC_155 this is a comment, as STATIC_155 is undefined. #endif void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes Global * */
DERA | : | 161 |
This standard is not applicable to java.
The mixture of C and preprocessor commands is potentially dangerous. This standard reports any macros which feature the preprocessor directive defined.
#include "c_standards.h" #define STATIC_156(x) defined(x) /**************************************************** * Standard 156 S : ****************************************************/ #if STATIC_156(c) UINT_32 var1; #else SINT_32 var1; #endif #define c 1 #if STATIC_156(c) UINT_32 var2; #else SINT_32 var2; #endif void dummy( void ) { /* ... */ } /* * Copyright (c) 2000 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
The location of a string literal is determined at the time the program is compiled. For example, it may be placed an area of memory marked as read-only, or physically stored within the binary executable. It is unsafe to attempt to change any such text, as the consequences are unpredictable.
#include "C_STANDARDS.H" /**************************************************** * Standard 157 S : Modification of string literal. ****************************************************/ void STATIC_157(void) { CHAR *c = "1234567890"; /* ... */ c[7] = '0'; *(c+6) = '1'; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CAST | : | 5.16.13 | ||
CERT-C | : | STR05-C, STR30-C | ||
CWE | : | 758 | ||
DERA | : | 130 | ||
GJB | : | 5.1.19 | ||
JSF++ AV | : | 151.1 | ||
LMTCP | : | 273 | ||
MISRA-AC | : | 1.2 | ||
MISRA-C:2004 | : | 1.2 |
This standard is not applicable to java.
The *** symbols refer to a user definable number, defaulting to 10 for this standard. The configuration is made in the c/cpppen.dat file. Instructions for making alterations can be found in the manual.
#include "C_STANDARDS.H" /***************************************************************** * Standard 158 S : Expression with more than *** subconditions. *****************************************************************/ void STATIC_158(void) { UINT_32 a1,b1,c1,d1,e1; UINT_32 a2,b2,c2,d2,e2; UINT_32 a3,b3,c3,d3,e3; if ((a1==0) && (b1==0) && (c1==0) && (d1==0) && (e1==0) && (a2==0) && (b2==0) && (c2==0) && (d2==0) && (e2==0) && (a3==0) && (b3==0) && (c3==0) && (d3==0) && (e3==0)) { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
DERA | : | 146 |
Any comparison of a pointer to NULL or zero should be made to a NULL pointer of the correct type. e.g.
char *message; if (message != (char *)(NULL) ) /* compliant */ if (message != NULL ) /* not compliant */
This standard can be relaxed to allow comparisons with zero by configuring the modifier 207 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /********************************************************* * Standard 159 S : Comparing pointer with zero or NULL. *********************************************************/ void STATIC_159(void) { CHAR *message = "TEST"; /* ... */ if ( message != NULL ) /* not compliant */ { /* ... */ } if ( message != 0 ) /* not compliant but permitted with modifier 207 */ { /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
DERA | : | 163 |
This standard is not applicable to java.
/********************************************************* * Standard 160 S : Loop in macro expansion.. *********************************************************/ #define A B #define B A #define C D #define D E #define E C main(){ int B; int C; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to java.
Note that visibility of a variable declared in a for statement in C++ has changed in [ISO/IEC]; it is only visible within the for loop. Therefore, don't define variables in the for statement.
#include "c_standards.h" /********************************************************* * Standard 161 S : Declaration in for statement. *********************************************************/ void STATIC_161(void) { UINT_32 x, y=0; for(unsigned x(0);x <3;x++) { y++; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c.
Don't put member function definitions in the class declaration. Only member function declarations. An exception is for small member functions with an empty function body.
#include "c_standards.h" /******************************************************** * Standard 162 S : Method defined within class declaration. ********************************************************/ class one { public: long l; one(UINT_32 i){;} ~one(void){;} void bproc(); }; one::one(void) { l=9; } void one::bproc(void) { l=7; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c and java.
Function names shall start with a lower-case letter (not including subsystem/package prefixes).
Class member functions (C++ only) are reported by 173 S.
/******************************************************** * Standard 163 S : Function starts with upper case character. ********************************************************/ void Static_163(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
The use of void declared pointers is not allowed. Exceptions can be made if no other solution is available and the reason is documented.
void proc(void *){;} #include /******************************************************** * Standard 164 S : Use of void * pointer. ********************************************************/ void * aproc() { return NULL; } main() { void * p; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to java.
Use nested classes and local classes in functions with caution. The added complexity of scope rules and restrictions may be confusing, especially since there are differences in the scope rules used in C and C++. It can be of use in some circumstances though.
/******************************************************** * Standard 165 S : Nested class declaration. ********************************************************/ class one { public: long along; class nested { public: short s; nested(){;} }; one() { nested anest; } }; /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
/******************************************************** * Standard 166 S : Class declared in function body. ********************************************************/ class one { public: long l; one(){;} void aproc() { class inproc1 { public: short s; inproc1(){;} }; } }; /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c and java.
The declaration of structure/class variables shall be separate from the definition of the type. For clarity of compilation diagnostics, use typedef (rather than defines).
/******************************************************** * Standard 167 S : Class variable declared in class definition. ********************************************************/ class one { public: long a; one(){;} } aone, *paone; /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c and java.
Non-pointer function parameters whose arguments are passed as call by value shall be declared constant. Pointer function parameters are covered by standard 603 S.
#include "c_standards.h" /******************************************************** * Standard 168 S : Call by value parameter not const. ********************************************************/ void aproc( UINT_32 i) {;} /* Not Compliant */ class one { public: UINT_16 s; void one_aproc( UINT_32 i) {;} /* Not Compliant */ }; /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to java.
/******************************************************** * Standard 169 S : Use of forward reference of class member. ********************************************************/ typedef int INT; typedef short S; class ok { public: INT x; ok(void) { x = 1; } }; class notok1 { INT d; }; INT main(void) { ok one; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
A call has been found that is not preceded by either a prototype, or the definition of the function. In this case the compiler may make assumptions about the types. May also occur for system functions where the include file containing the prototype has not been analysed, in which case should not be considered an error.
This standard is not applicable to c++ and java.
/******************************************************** * Standard 171 S : Variable has internal and external linkage. ********************************************************/ typedef unsigned char UC_8; typedef signed int SI_32; typedef unsigned int UI_32; extern SI_32 STATIC_170(void); static SI_32 x; extern SI_32 x; static UC_8 y; SI_32 STATIC_170(void) { extern UC_8 y; { extern UC_8 y; } return 1; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to c++ and java.
This standard can be relaxed to allow duplicate names in namespaces by configuring the modifier 297 in the cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
/***************************************************** * Standard 172 S : Variable declared multiply. *****************************************************/ #define mac1(x,y) def##y(x) #if mac1(c,ined) int ii; #else int jj; #endif #define c #if mac1(c,ined) int ii; #else int jj; #endif int main(void){ } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
This standard is not applicable to java.
Class member function names shall start with a lower-case letter. (This standard does not apply to constructors, destructors or conversion functions.)
Non-member functions are reported by 163 S.
/***************************************************** * Standard 173 S : Class member starts with upper case character. *****************************************************/ typedef int INT; typedef long LONG; class one {public: void Upper2_out(); }; void one::Upper2_out(){along=13;} INT main(void){ one x; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
ESA-BSSC | : | 29 |
This standard is not applicable to c.
Class member function names shall start with a upper-case letter. (This standard does not apply to constructors, destructors or conversion functions.)
Non-member functions are reported by 175 S.
/***************************************************** * Standard 174 S : Class member starts with lower case character. *****************************************************/ typedef int INT; class one { public: INT x; void notokproc1 () { } }; INT main(void) { } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
ESA-BSSC | : | 29 |
This standard is not applicable to c.
Function names shall start with an upper-case letter (not including subsystem/package prefixes).
This rule does not apply to overloading the C++ operators new, new[], delete and delete[]. Class member functions (C++ only) are reported by 174 S.
#include "c_standards.h" /******************************************************** * Standard 175 S : Function starts with lower case character. ********************************************************/ typedef int INT; void notokproc3 () { } INT main(void) { } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
/***************************************************** * Standard 176 S : Non standard escape sequence in source. *****************************************************/ void STATIC_161 (void) { unsigned char c = 'b'; switch(c) { case '\m': break; case '$': break; case '£': break; case '@': break; case '¬': break; default: break; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CERT-C | : | MSC10-C | ||
CERT-J | : | IDS04-J | ||
CWE | : | 176, 758 | ||
DERA | : | 5 | ||
HIC++ | : | 6.4 | ||
HIS | : | 5 | ||
LMTCP | : | 19, 270 | ||
MISRA-AC | : | 4.1 | ||
MISRA-C++:2008 | : | 2-13-1 | ||
MISRA-C:1998 | : | 5 | ||
MISRA-C:2004 | : | 4.1 | ||
SEC-C | : | P1.2.1, P1.2.2 |
Each declaration of a variable or constant shall have a source line to itself. This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions.
/***************************************************** * Standard 177 S : Variable not declared on new line. * A/Ref: 5.1.2.1 *****************************************************/ INT okvar,notok2; INT main(void){ okvar=0; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
CERT-C | : | DCL04-C | ||
EADS-C | : | 83 | ||
ESA-BSSC | : | 9 | ||
HIC++ | : | 8.4.2 | Modifiers : 220 = 1 | |
JPL | : | 4 | ||
JSF++ AV | : | 152 | Modifiers : 220 = 1 | |
LMTCP | : | 83 | Modifiers : 220 = 1 |
This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions.
/******************************************************** * Standard 178 S : Declaration does not start new line. ********************************************************/ typedef int INT; INT * oka; INT b, * okc; INT *notoka; INT c, *notokb; void proc( INT * s,INT *notokt); struct tag0 { INT * w;INT *notokq;} astr; struct tag1 { INT * w;INT *notokq;} * pastr1; struct tag2 { INT * w;INT *notokq;} *notokpastr2; INT main(void){ oka = 0; } /* * Copyright (c) 2001 Liverpool Data Research Associates * */
External variables shall be declared at the beginning of header files.
typedef int INT; #include "header1.h" #include "header2.h" #include "header3.h" /******************************************************** * Standard 179 S : Extern not at start of header file. ********************************************************/ INT main(void){ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
CAST | : | 5.16.15 |
This standard is not applicable to java.
If a pointer or reference type is used and de-reference operator ('*' and '&' (for C++)) is used in the type specification, then de-reference operator shall be written together with the type name, not the variable/constant name. It is important that only one variable/constant is declared on each line with this syntax style to avoid unintentional type declaration errors.
/******************************************************** * Standard 180 S : No space between * or & and name in declaration. * A/Ref: 5.1.2.3 ********************************************************/ typedef int INT; INT *notoka; INT c, *notokb; INT main(void){ notoka = 0; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
NETRINO | : | 3.1.e |
This standard is not applicable to java.
Control structure keywords (if,switch, while,for) are followed by one blank and the expression is parenthesised. Blanks may be used between parenthesis and the expression.
/******************************************************** * Standard 181 S : No space between if, while, for and expresn. * A/Ref: 5.1.3.5 ********************************************************/ typedef int INT; INT main(void){ INT i=3; if( 1==2 ) {2;} switch(i){ } switch (i){ } while(i==0){2;} do{2;}while(i==0); for(i=0;i>2;i++){2;} } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
Commas and semicolons are written with one blank (or new-line) after them.
/******************************************************** * Standard 182 S : No space after semi colon in for expression. * A/Ref: 5.1.3.4 ********************************************************/ typedef int INT; INT main(void){ INT i; for ( i = 0;i < 5;i++ ){ i++;} } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions.
/******************************************************** * Standard 183 S : No newline after semi colon. * A/Ref: 5.1.3.4 ********************************************************/ typedef int INT; INT main(void){ INT i;INT j; for ( i = 0; i < 5; i++ ){ i++;} } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
The -> operator should not be written with surrounding spaces. The left bracket of an array declaration or subscript ([]) should not be preceded by a space. The right bracket of an array subscript should not be followed by a space if it is followed by a (.
This standard can be relaxed to allow spaces around [] by configuring the modifier 240 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 184 S :Spaces round -> or [] operators. ********************************************************/ struct tag { INT_32 f; }; void proc(struct tag * astr, INT_32 b [] /* not compliant */ ) { astr ->f=2; /* not compliant */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to java.
Unary operators are written without blanks between them and their operands.
/******************************************************** * Standard 185 S : Space between unary operator and operator. * A/Ref: 5.1.3.2 ********************************************************/ typedef int INT; void proc( INT * g){ * g = 77; *g = * g + 77; } INT main(void){ INT i=9; INT j=19; INT * p; i = - j; p = & j; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
Binary operators always have blanks around them.
/******************************************************** * Standard 186 S : Space missing before or after binary operator. * A/Ref: 5.1.3.3 ********************************************************/ typedef int INT; typedef unsigned int UINT; INT main(void){ INT i = 9; INT j =8; INT k= 7; UINT x = 3; UINT y = 17; i= j; i = j /k; i = j <<k; i = j && k; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
Use spaces for indentation; never use tab characters. This makes the printout independent of tab length.
/******************************************************** * Standard 187 S : Tab character in source. * A/Ref: 5.1.5.1 ********************************************************/ typedef int INT; INT g; INT main(void){ g = 9; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
To increase readability the bodies must have explicit braces (even if the body consists of only one line). This will also eliminate the "dangling else" problem. This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions."
/******************************************************** * Standard 188 S : { or } not on line by itself. * A/Ref: 5.1.5.3 ********************************************************/ typedef int INT; INT g; typedef char CHAR; void procok() { } struct tagnotok { CHAR a; }; struct { CHAR x; }; INT main(void) { g =9; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This limitation is imposed to help to ensure that source code, when displayed or printed out, remains legible. Longer lines must be broken down nicely. The maximum width of characters is configured in the c/cppvals.dat file against the entry marked as type 177 (MAXLIN). Instructions for making alterations can be found in the manual.
177 120 Maximum source line length for standard 189 S. MAXLIN
Alternatively, the limit may be specified in the c/cppreport.dat file against the penalty detail, in association with the chosen programming model:
189 S C "AV:vals 177 120" "EADS:M:vals 177 132" "UML" "LMTCP:C:vals 177 75"
Very long source lines can be difficult to read and understand.
/******************************************************** * Standard 189 S : Input line exceeds limit. * A/Ref: 5.1.5.5 ********************************************************/ /*LDRA_INPUT 177 80 */ typedef int INT; INT main(void) { INT iiiiiiiiiiiii = 0; iiiiiiiiiiiii = iiiiiiiiiiiii + iiiiiiiiiiiii + iiiiiiiiiiiii + iiiiiiiiiiiii + iiiiiiiiiiiii; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
EADS-C | : | 140 | Modifiers : 177 = 132 | |
JSF++ AV | : | 41 | Modifiers : 177 = 120 | |
LMTCP | : | 64 | Modifiers : 177 = 75 | |
NETRINO | : | 1.2.a |
This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions.
The *** symbols refer to a user definable number for this standard, defaulting to 2. The configuration is made in the c/cpppen.dat file. Instructions for making alterations can be found in the manual.
This standard can be relaxed to allow indentation which is greater than the specified amount by configuring the modifier 324 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
/******************************************************** * Standard 190 S : { ... } contents not indented by 2 spaces. ********************************************************/ typedef int INT; void proc( INT * g){ * g = 77; *g = * g + 77; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
Parenthesis after function names have no blanks before the opening parentheses.
/******************************************************** * Standard 191 S : Space between function name and parenthesis. * A/Ref: 5.1.6.2 ********************************************************/ void notokproc1 () { } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
Due to improved readability it is recommended that inline, static and a trailing const for the function definition appears on a line on their own. Function arguments can be declared on a single line if enough space is available, otherwise one argument per line.
/******************************************************** * Standard 192 S : Static not on separate line in function defn. * A/Ref: 5.1.6.4 ********************************************************/ static void proc1(void) { } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to java.
/******************************************************** * Standard 193 S : Inline not on separate line in function defn. ********************************************************/ class one {public: INT x; void mem1(void)const; }; inline void one::mem1(void) const { } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c and java.
For ease of readability and maintainability, a const qualifier for a member definition shall be placed on a separate line to that of the member identifer. The const-ness of a member is much easier to pick out when formatted in this way.
/******************************************************** * Standard 194 S : Const not on separate line in member defn. ********************************************************/ class one {public: INT x; void mem2(void) const; }; inline void one::mem2(void) const { } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c and java.
For ease of readability and maintainability, a function return type shall be placed on a separate line to that of the function identifer. Function names and their return types are much easier to pick out when formatted in this way.
/************************************************************** * Standard 195 S : Function return type needs a new line. **************************************************************/ static void proc2(void) { } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
JPL | : | 4 |
The order of protection sections in class declaration shall be:
/************************************************************** * Standard 196 S : No privacy statement at start of class. * A/Ref: 5.1.7.1 **************************************************************/ typedef int INT; class notok1 { INT d; }; /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
LMTCP | : | 82 |
This standard is not applicable to c.
Access specifiers in a class shall be ordered by decreasing scope of audience. Public is first and at the top of the class declaration, followed by Protected, and lastly Private - which is only of concern to the implementers of the class.
This standard can be relaxed to allow for classes with no protected section by configuring the modifier 210 in the cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /************************************************************** * Standard 197 S : Access specifiers in invalid order. **************************************************************/ class class_197{ public: INT_16 d; private: /* not compliant */ INT_32 a; protected: /* not compliant */ INT_32 q; }; /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
EADS-C++ | : | 2 | Modifiers : 210 = 1 | |
HIC++ | : | 3.1.1 | Modifiers : 210 = 1 | |
JSF++ AV | : | 57 | Modifiers : 210 = 1 | |
LMTCP | : | 82 | Modifiers : 210 = 1 |
This standard is not applicable to c.
Structs are to be used as in C. Class-like facilities such as access specifiers shall not be utilised.
/************************************************************** * Standard 198 S : Use of privacy statement in struct. **************************************************************/ typedef int INT; typedef short S; struct tag { INT l; private: S b; } okstr; INT main(void) { } /* * Copyright (c) 2001 Liverpool Data Research Associates * * */
This standard is not applicable to c and java.
Unnamed, or anonymous, namespaces shall not be used. An anonymous namespace is a facility for establishing identifiers as global but within the scope of a single file. It is preferred that each non-local identifier be qualified using a 'tagged' namespace.
#include "c_standards.h" // // Standard 199 S : Use of an anonymous namespace. // A/Ref: // SINT_32 foo(void); namespace { SINT_16 index = 0; } namespace NS { SINT_32 index = 1; SINT_32 some_ref = 99; } SINT_32 foo(void) { SINT_32 sum = index + // could be confused with NS::index NS::some_ref; return sum; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Use const or possibly enum instead of macros to define constants, at least in C++. In C, usage of const is more limited and thus macros might have to be used. However, the const type qualifier is demanded for complex data types (structures, arrays etc) and is also easier to modify with a debugger.
typedef int INT; const unsigned char okuc = 17; unsigned char notokuc = 77; #define ACONSTAT 101 /******************************************************** * Standard 200 S : Define used for numeric constant. * A/Ref: 6.1.3.1 ********************************************************/ struct tag{const char t;}astr={'l'}; INT main(void){ signed short ss; notokuc = okuc;// overwrite constant ss = 131; // not allowed ss = ACONSTAT; // not allowed } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
CERT-C | : | DCL00-C | ||
EADS-C | : | 80, 88 | ||
EADS-C++ | : | 51 | ||
HIC++ | : | 14.17 | ||
JSF++ AV | : | 30 | ||
LMTCP | : | 36 | ||
NETRINO | : | 1.8.b |
This standard is not applicable to java.
The use of numeric literals, i.e. magic numbers, is generally accepted as undesirable due to the impact on maintainability. A typical example of a magic number would be a value used to limit the number of iterations for a fixed loop. Symbolic names in the form of const variables, or possibly enum constants, will be used instead, and ideally, placed in header files.
This standard also extends to numeric literals substituted via macros. It is acknowledged that macros might have to be used - particularly with the C language, where the usage of const is more limited than C++. However, the const type qualifier is demanded for complex data types (structures, arrays etc) and is also easier to modify with a debugger. The standard can be relaxed to allow numeric literals substituted via macros by configuring the modifier 163 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file. By default, the standard is configured to allow numeric literals substituted via macros.
It is also recognised that 0 and 1, in many cases, are not regarded as magic numbers, being literals with intuitive meaning, and so may be excluded from the rule check. This may be done by configuring the modifier 217 in the c/cppreport.dat file.
This standard can also be relaxed to allow the assignments of numeric literals to array elements in constructors by configuring the modifier 237 in the cppreport.dat file.
#include "c_standards.h" const SINT_16 okuc = 17; SINT_16 notokuc = 77; #define ACONSTANT 101 /******************************************************** * Standard 201 S : Use of numeric literal in expression. ********************************************************/ struct tag { const CHAR t; } astr={'l'}; SINT_32 main(void){ SINT_16 ss, on_off_flag; notokuc = okuc; /* overwrite non-const constant! */ ss = 131; /* not compliant */ ss = ACONSTANT; /* compliant but can be prohibited with modifier 163 */ on_off_flag = 0; /* not compliant but permitted with modifier 217 */ on_off_flag = 1; /* not compliant but permitted with modifier 217 */ on_off_flag = 2; /* not compliant */ return 0; /* not compliant but permitted with modifier 217 */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
CERT-C | : | DCL06-C, EXP07-C, EXP09-C | ||
CWE | : | 547 | Modifiers : 217 = 1 | |
EADS-C | : | 80, 87 | ||
HIC++ | : | 10.1 | Modifiers : 217 = 1 | |
JSF++ AV | : | 151 | Modifiers : 217 = 1 | |
LMTCP | : | 272 | Modifiers : 217 = 1 | |
NETRINO | : | 8.4.a | ||
SEC-C | : | M1.10.1 |
Avoid public or protected data in a class. Use access functions to provide access to data in a class. In interfacing with C it may be necessary to use structs only containing public data.
/******************************************************** * Standard 202 S : Class data is not private. * A/Ref: 6.1.7.4 ********************************************************/ class one {public: one(){;} long along; protected: short asort; private: unsigned unsign; public: unsigned char chr; }; /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
CERT-J | : | OBJ00-J | ||
EADS-C++ | : | 18 | ||
ESA-BSSC | : | 59 | ||
HIC++ | : | 3.4.1 | ||
JSF++ AV | : | 67 | ||
LMTCP | : | 100, 153 | ||
MISRA-C++:2008 | : | 11-0-1 |
This standard is not applicable to c.
"Never" convert a const to a non-const. An exception may be if a const function need to modify an internal variable that will not change the object as viewed from the outside. This is not necessary if the compiler supports the ISO/IEC C++ keyword mutable; most compilers don't support it yet though. The code should not depend on functions that use implicit type conversions.
typedef int INT; /******************************************************** * Standard 203 S : Cast on a constant value. * A/Ref: 6.2.2 ********************************************************/ const INT con=19; class one{ public: one():s(41){;} long along; const short s; }str; INT main(void){ INT x; x = (INT)con; x = (INT)str.s; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
CERT-C | : | EXP05-C | ||
CWE | : | 704 | ||
HIC++ | : | 7.4 | ||
LMTCP | : | 328, 335 | ||
MISRA-AC | : | 11.5 | ||
MISRA-C++:2008 | : | 5-2-5 | ||
MISRA-C:2004 | : | 11.5 | ||
SEC-C | : | R2.7.2 |
The reserved words goto and continue shall be redefined in the standard project/product header file to produce a compilation error.
#define goto some_total_rubbish ---------- #define continue some_total_rubbish ---------- /******************************************************** * Standard 204 S : Continue or goto not defined to rubbish. * A/Ref: 6.3.6.7 ********************************************************/ typedef int INT; INT main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to java.
Avoid the use of complex inheritance structures. Derived classes that inherit from more than one base class, whether through mulitple inheritance or a multi-layered structure, generally do not justify the added complexity.
typedef int INT; // // Standard 205 S : Use of multiple inheritance. // A/Ref: 6.1.7.8 // class basic { public: Sint_32 anint; basic() { anint = 7; } }; class basic1 : public basic { public: Sint_32 anint1; basic1() { anint1 = 7; } }; class two : public basic1 { public: Sint_32 extra; }; Sint_32 main(void) { two atwo; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
EADS-C++ | : | 60 |
This standard is not applicable to c.
Use nested classes and local classes in functions with caution. The added complexity of scope rules and restrictions may be confusing, especially since there are differences in the scope rules used in C and C++. It can be of use in some circumstances though.
typedef int INT; /******************************************************** * Standard 206 S : Class initialiser out of order. * A/Ref: 6.1.7.7 ********************************************************/ class one { public: one(){;} INT oneint; class two { two(){;} INT anint; }; }; namespace mikes { class mikesclass{ public: mikesclass(){;} }; void aproc(void){ class local{ public: local(){;} }; local alocal; } }; INT main(void){ one aone; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to c.
C++ comments shall be used in preference to C style comments. Single line comments are clearer and without the risks associated with nesting of comments.
#include "c_standards.h" // // Standard 207 S : Use of old style /* comments in C++. // A/Ref: // void foo(void); void foo(void) { /* Old syle C comment at head of procedure */ UINT_32 local; // Rest of procedure // ... } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
In order to clearly distinguish between private data members and other identifiers, the use of a trailing underscore shall be used in the name.
// // Standard 208 S : Private data name needs trailing underscore. // A/Ref: // class MyClass { private: UINT_32 m_ok_item_; UINT_32 m_not_ok_item; // protected: public: }; void foo(void); void foo(void) { //... } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to c.
All preprocessor directives shall begin in column 1 by convention. A consistent layout promotes readability.
// Line below is indented! #include "c_standards.h" // // Standard 209 S : Preprocessor command indented. // A/Ref: // void foo(void); void foo(void) { //... } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to java.
All macro names shall be in upper case by convention. By using all upper case, macros are easily distinguishable from other identifiers.
#define my_sq_macro(X) ((X) * (X)) #include "c_standards.h" // // Standard 210 S : Macro name is not upper case. // A/Ref: // UINT_32 foo(UINT_32 p1); UINT_32 foo(UINT_32 p1) { return my_sq_macro(p1); } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to java.
Never overload the operators &&, || and, (comma operator). Their original behaviour can not be mimicked when overloading them.
/******************************************************** * Standard 211 S : Overloaded && , || or comma. * A/Ref: 6.3.1.2 ********************************************************/ class one{ public: long along; one(){;} int operator && (one & x){return 1;} int operator || (one & x){return 1;} int operator , (one & x){return 1;} }; int main(void){ one aone; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
Use friends sparingly; a redesign of a class hierarchy and interface can be more appropriate. Friends of a class should be used to provide functions that are best kept outside of the class. If friends are used, assign friendship to specific functions and avoid assigning to a complete class if possible.
/******************************************************** * Standard 212/213 S : Use of friend function in class. * A/Ref: 6.1.7.5 ********************************************************/ void proc(int i){;} class two{ public: short ashort; two(){;} }; class one { public: long along; friend void proc(int i); friend class two; }; int main(void){ one aone; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
Use friends sparingly; a redesign of a class hierarchy and interface can be more appropriate. Friends of a class should be used to provide functions that are best kept outside of the class. If friends are used, assign friendship to specific functions and avoid assigning to a complete class if possible.
/******************************************************** * Standard 212/213 S : Use of friend function in class. * A/Ref: 6.1.7.5 ********************************************************/ void proc(int i){;} class two{ public: short ashort; two(){;} }; class one { public: long along; friend void proc(int i); friend class two; }; int main(void){ one aone; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
Use the keyword virtual for all definitions in derived classes of a function that is defined as virtual in a base class, even though this is optional
typedef int INT; /******************************************************** * Standard 214 S : Member not declared virtual. * A/Ref: 6.1.7.6 ********************************************************/ class one { public: one(){;} virtual void proc(); }; class two: one { public: two(){;} virtual void proc(); }; class thr: one { public: thr(){;} void proc(); }; INT main(void){ two atwo; thr athr; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
Avoid declaring functions that create big temporary objects for return values and parameters, such as structures, unions, or classes passed by value.
This standard can be further restricted to check for functions with constant struct or class parameters by configuring the modifier 328 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************** * Standard 215 S : Struct or class called by value. ********************************************************/ struct tag { INT_32 s;}; typedef struct tag TAG; typedef struct tag * PTAG; class two{public:INT_32 anint;two(){;}}; typedef class two TWO; class one { public: INT_32 i; one(){;} void aproc(struct tag d, class two e, TAG g, TWO h){;} }; typedef class one ONE; void proc( struct tag x,class one y, TAG z, TWO a){;} INT_32 main(void){ TAG atag; one aone; two atwo; proc(atag,aone,atag,atwo); aone.aproc(atag,atwo,atag,atwo); } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of pointer parameters shall be consistent in the following manner:
typedef int INT; /******************************************************** * Standard 216 S : Pointer name does not have required suffix. * A/Ref: 6.1.6.10 ********************************************************/ INT * aptr; int * bptr; INT * nogood1; int * nogood2; void aproc(int * nogoodp,int * goodptr,INT * nogoodp2,INT * agoodptr){;} class one { public: int * strptr; int * strnogood; INT * strokptr; INT * strnogood2; one * oneptr; one * onenogood; one(){;} void amember(int * nogoodp,int * goodptr,INT * nogoodp2,INT * agoodptr, one * classptr, one * duff){;} }; INT main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
EADS-C | : | 72 |
This standard is not applicable to java.
Don't use names where the only difference is the case in a single scope; i.e. Don't use foobar and fooBar in any part of the code where both are accessible.
typedef int INT; typedef char CHAR; /******************************************************** * Standard 217 S : Names only differ by case. * A/Ref: 5.2.1.3 ********************************************************/ INT Foobar; INT foobar; INT fOobar; void aproc(INT FooBar,CHAR aC2){;} INT main(void){ struct tag{ CHAR aC1;INT FooBar;}; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
Don't choose names that are used in the C/C++ libraries
/******************************************************** * Standard 218 S : Name is used in standard libraries. * A/Ref: 5.2.1.2 ********************************************************/ void strstr(int x){;} void strcmp(int x){;} int main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
CERT-C | : | PRE04-C | ||
EADS-C | : | 49 | ||
HIS | : | 115 | ||
LMTCP | : | 93 | ||
MISRA-AC | : | 20.2 | ||
MISRA-C++:2008 | : | 17-0-2, 17-0-3 | ||
MISRA-C:1998 | : | 115 | ||
MISRA-C:2004 | : | 20.2 | ||
NETRINO | : | 6.1.b, 7.1.b | ||
SEC-C | : | M1.7.2 |
Names with leading underscore shall not be defined by any programmer, since they are reserved for the compiler
typedef int INT; /******************************************************** * Standard 219 S : User name starts with underscore. * A/Ref: 5.2.1.6 ********************************************************/ INT _ohno; INT ohyes; INT main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
Prefix the name of globally visible types (i.e. classes, enum types, typedefs, unions, classes structs etc.), macros, functions, constants and variables. Separate the prefix from the name with an underscore. The prefix should be a mnemonic for the specific subsystem/ package that the identifier belongs to.
typedef int PREFIX_int; /******************************************************** * Standard 220 S : No prefix for global type. * A/Ref: 5.2.2.1 ********************************************************/ class PREFIX_class { private: PREFIX_int anint; PREFIX_class(){;} }; typedef int NOTOK_INT; class NOTOK_class { public: NOTOK_INT another; NOTOK_class(){;} }; PREFIX_int main(void){ typedef long okok; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
Structures and unions shall be given names that start with an upper-case letter.
This standard can be extended to cover enumerated and class types by configuring the modifier 204 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
typedef unsigned char CHAR; typedef int INT; struct lower { CHAR c; }; struct Upper { CHAR c; }; union Upun { CHAR cu; INT iu; }; typedef struct lower lowstrtype; /******************************************************** * Standard 221 S : Start of struct/union is lower case. ********************************************************/ INT main(void){ struct lower s; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
Variable names shall start with a lower-case letter (not including subsystems/package prefixes).
typedef int INT; /******************************************************** * Standard 222 S : Start of variable is upper case. ********************************************************/ INT ok; INT ok1,Notok1; INT Ok2; INT main(void){ INT NOTOK3,ok3; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
EADS-C | : | 70 |
Functions that are declared global shall have a prefix indicating the owner of the function. For example, the subsystem S1 has a function S1_doIt() callable from other subsystems S2, S3 etc.
typedef int INT; /******************************************************** * Standard 223 S : No prefix for global function. * A/Ref: 5.2.7.3 ********************************************************/ INT func(INT p){return 7;} INT Func(INT q){return 11;} INT main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to java.
Constants and enumeration value names should start with a lowercase letter (not including subsystem/package prefixes). Using the same naming conventions as for macros (or enumeration values) is allowed, provided that usage is consistent.
typedef int INT; /******************************************************** * Standard 222/224 S : Start of enumeration is upper case. * A/Ref: 5.2.6 ********************************************************/ const INT one = 1; enum { red, green,Blue}; const INT Two = 2; INT main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
JSF++ AV | : | 52 |
C source code files should end with the extension '.c' and C header files with the extension '.h'.
C++ source code files should end with the extension '.cpp' and C++ header files with the extension '.hpp'.
LMTCP | : | 78 |
This standard is not applicable to java.
Bit patterns shall be defined in hexadecimal or octal format.In these formats the values are unsigned as default, which is what shall be used in bit-wise operations. These formats also map easier to the actual bits than the decimal format.
typedef unsigned UINT; typedef int INT; enum {won=1,too=2}; struct tag{ UINT dec:2; UINT oct:02; UINT hex:0x3; UINT enumr:won; UINT decu:3u; }; /******************************************************** * Standard 226 S : Bit field is not octal, hex or suffix u. * A/Ref: 6.1.3.5 ********************************************************/ INT main(void){ } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
SEC-C | : | P1.3.3 |
This standard is not applicable to java.
Bit patterns shall be defined in hexadecimal or octal format.In these formats the values are unsigned as default, which is what shall be used in bit-wise operations. These formats also map easier to the actual bits than the decimal format.
typedef unsigned UINT; typedef int INT; /******************************************************** * Standard 227 S : Numeric bit operand is not octal, hex or u. * A/Ref: 6.1.3.5 ********************************************************/ INT main(void){ UINT x=1,y; y = x & 20; y = x & 20u; y = x & 020; y = x & 0x20; } /* * * Copyright (c) 2002 Liverpool Data Research Associates * */
This standard is not applicable to java.
Macro definitions, where permitted, should be clearly structured with correctly balanced brackets. Heavy use of parentheses around arguments shall be used when defining macros to avoid surprises.
/*************************************************************** * Standard 228 S : Bracket mismatch ( or { in macro definition. * A/Ref: 6.3.8.2 ***************************************************************/ /* Missing right parenthesis (!) in this macro definition of a 'common' symbolic constant */ #define COMMON_SYM_CONSTANT ((2U * 3U) + 2U /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Macro definitions, where permitted, should be clearly structured with correctly balanced brackets. Heavy use of parentheses around arguments shall be used when defining macros to avoid surprises.
/*************************************************************** * Standard 229 S : Bracket mismatch ) or } in macro definition. * A/Ref: 6.3.8.2 ***************************************************************/ /* Missing left parenthesis (!) in this macro definition of a 'common' symbolic constant */ #define COMMON_SYM_CONSTANT 2U * 3U + 2U) /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The compiler will provide a default copy constructor, but is not always appropriate because it does not initialise members that are of POD type.
Defining a minimal standard interface comprising: a default constructor; a copy constructor, a copy assignment operator and a destructor for all classes ensures a more maintainable and extensible implementation.
typedef unsigned int Uint_32; // // Standard 230 S : No copy constructor defined for class. // A/Ref: 6.1.11.4 // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person ); ~Person(); protected: private: Uint_32 personalNumber; }; void foo(void) { Person p1(10); Person q1(p1); // invokes (compiler provided) copy constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
HIC++ | : | 3.1.13 |
This standard is not applicable to c and java.
The compiler will provide a default copy assignment operator, but is not always appropriate because it does not initialise members that are of POD type.
Defining a minimal standard interface comprising: a default constructor; a copy constructor, a copy assignment operator and a destructor for all classes ensures a more maintainable and extensible implementation.
typedef unsigned int Uint_32; // // Standard 231 S : No assignment operator defined for class. // A/Ref: 6.1.11.4 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; }; void foo(void) { Person p1(10); Person q1(10); q1 = p1; // invokes (compiler provided) copy assignment constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
HIC++ | : | 3.1.13 |
This standard is not applicable to c and java.
The compiler will provide a default destructor, but is not always appropriate because it does not initialise members that are of POD type.
Defining a minimal standard interface comprising: a default constructor; a copy constructor, a copy assignment operator and a destructor for all classes ensures a more maintainable and extensible implementation.
typedef unsigned int Uint_32; // // Standard 232 S : No destructor defined for class. // A/Ref: 6.1.11.4 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person & person); protected: private: Uint_32 personalNumber; }; void foo(void) { Person *p1 = new Person(10); // Statements... delete p1; // invokes (compiler provided) destructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A copy constructor shall be declared for classes that manage resources, i.e. contain pointers to data items or nontrivial destructors.
The default copy constructor provided by the compiler performs a bitwise or shallow copy, resulting in a shared resource when a duplicated resource may be necessary. An explicit declaration makes the intention clear.
typedef unsigned int Uint_32; typedef unsigned char Uchar; // // Standard 233 S : No copy constructor for class with pointers. // A/Ref: 6.1.11.5 // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; Uchar *personName; }; Person::Person(const Uint_32 personNum) { personalNumber = personNum; } void foo(void) { Person p1(10); Person q1(p1); // invokes (compiler provided) copy constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A copy assignment operator shall be declared for classes that manage resources, i.e. contain pointers to data items or nontrivial destructors.
The default assignment operator provided by the compiler performs a bitwise or shallow copy, resulting in a shared resource when a duplicated resource may be necessary. An explicit declaration makes the intention clear.
typedef unsigned int Uint_32; typedef unsigned char Uchar; // // Standard 234 S : No assignment operator for class with pointers. // A/Ref: 6.1.11.5 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; Uchar *personName; }; Person::Person(const Uint_32 personNum) { personalNumber = personNum; } void foo(void) { Person p1(10); Person q1(10); q1 = p1; // invokes (compiler provided) copy assignment constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A destructor shall be declared for classes that manage resources, i.e. contain pointers to data items.
The destructor should be declared because the implicit destructor will not release resources (normally dynamically allocated memory). Failure to release resources could result in resource leaks.
typedef unsigned int Uint_32; typedef unsigned char Uchar; // // Standard 235 S : No destructor for class with pointers. // A/Ref: 6.1.11.5 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person& person); protected: private: Uint_32 personalNumber; Uchar *personName; }; Person::Person(const Uint_32 personNum) { personalNumber = personNum; } void foo(void) { Person *p1 = new Person(10); // Statements... delete p1; // invokes (compiler provided) destructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
If a class uses new to allocate instances managed by the class, define an assignment operator.
Define or, at least, declare a copy assignment operator for classes which manage resources. The default assignment operator provided by the compiler performs a bitwise or shallow copy, resulting in a shared resource when a duplicated resource may be necessary. An explicit declaration makes the intention clear.
typedef unsigned int Uint_32; // // Standard 236 S : New used in class without assignment op. // A/Ref: 6.1.11.1 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; Uint_32 skillsList; }; Person::Person(const Uint_32 personNum) { personalNumber = personNum; skillsList = new Uint_32[10]; // use of new operator on member data } void foo(void) { Person p1(10); Person q1(10); q1 = p1; // invokes (compiler provided) copy assignment constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The passed object reference shall not be modified by the copy assignment operator. Hence declare the (read-only) parameter as const in accordance with the general rule that const be used whenever possible.
typedef unsigned int Uint_32; // // Standard 237 S : Assignment operator parameter not const. // A/Ref: 6.1.8.3 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(Person &person); // should be a const parameter ~Person(); protected: private: Uint_32 personalNumber; }; Person &Person::operator=(Person &person) { if (this != &person) { // Assignment code } return *this; } void foo(void) { Person p1(10); Person q1(10); q1 = p1; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The use of templates shall be minimised. The number of template classes declared shall be restricted to a pre-determined maximum limit.
typedef unsigned int Uint_32; // // Standard 238 S : Number of templates exceeds ***. // A/Ref: 6.1.12 // template < class T > class tplate1 { public: tplate1(); protected: private: Uint_32 value1; }; template < class T > class tplate2 { public: tplate2(); protected: private: Uint_32 value2; }; template < class T > class tplate3 { public: tplate3(); protected: private: Uint_32 value3; }; template < class T > class tplate4 { public: tplate4(); protected: private: Uint_32 value4; }; template < class T > class tplate5 { public: tplate5(); protected: private: Uint_32 value5; }; template < class T > class tplate6 { public: tplate6(); protected: private: Uint_32 value6; }; template < class T > class tplate7 // This declaration causes a violation when { // limit configured to 6. public: tplate7(); protected: private: Uint_32 value7; }; void foo(void) { // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
If a class uses new to allocate instances of the class, then a copy constructor shall be defined.
Define or, at least, declare a copy constructor for classes which manage resources. The default copy constructor provided by the compiler performs a bitwise or shallow copy, resulting in a shared resource when a duplicated resource may be necessary. An explicit declaration makes the intention clear.
typedef unsigned int Uint_32; // // Standard 239 S : New used in class without copy constructor. // A/Ref: 6.1.9.6 // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; Uint_32 skillsList[]; }; Person::Person(const Uint_32 personNum) { personalNumber = personNum; skillsList = new Uint_32[10]; // use of new operator on member data } void foo(void) { Person p1(10); Person q1(p1); // invokes (compiler provided) copy constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
Dynamic casts shall not be used due to their dependency on RTTI support (for those casts resolved at run-time). Casts involving pointers/references from a base class to a derived class and casts between different derived classes are those casts that are made at run-time.
// // Standard 240 S : Use of dynamic_cast. // A/Ref: 6.2.4 // class Base { public: Base(); explicit Base(const Base &base); Base& operator=(const Base &base); virtual ~Base(); protected: private: }; class Derived : public Base { public: Derived(); explicit Derived(const Derived &derived); Derived& operator=(const Derived &derived); virtual ~Derived(); protected: private: }; class DifferentDerived : public Base { public: DifferentDerived(); explicit DifferentDerived(const DifferentDerived &dderived); DifferentDerived& operator=(const DifferentDerived &dderived); virtual ~DifferentDerived(); protected: private: }; void foo(void) { Base *b1 = new Derived; Derived *d1 = new DifferentDerived; DifferentDerived *dd1 = dynamic_cast <DifferentDerived *> (d1); } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
JSF++ AV | : | 185 |
This standard is not applicable to c and java.
This is an "unsafe" cast, the result may not be well defined.
// // Standard 241 S : Use of reinterpret_cast. // A/Ref: 6.2.4 // class AClass { public: AClass(); explicit AClass(const AClass &ac); AClass& operator=(const AClass &ac); ~AClass(); protected: private: }; class BClass { public: BClass(); explicit BClass(const BClass &ac); BClass& operator=(const BClass &ac); ~BClass(); protected: private: }; void foo(void) { AClass *a1 = new AClass(); BClass *b1 = reinterpret_cast <BClass *> (a1); } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The supplied type and argument must be of the same type except for a const or volatile specifier. This cast is only used to add or remove constness from an object. However, removing constness should be avoided if possible.
typedef signed int Sint_32; // // Standard 242 S : Use of const_cast. // A/Ref: 6.2.4 // Sint_32 foo(const Sint_32 &aa) { Sint_32 bb = const_cast (aa); bb = bb + 2; return bb; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A header file will contain a mechanism that prevents multiple inclusions of itself, i.e. using #ifndef, #define and #endif.
/************************************************************ * Standard 243 S : Included file not protected with #define. * A/Ref: 5.4.2.3 ************************************************************/ /*** #ifndef STATIC_243_H #define STATIC_243_H ***/ /* All declarations and definitions - should be excluded by the preprocessor if the file is included more than once. */ /*** #endif ***/ /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | PRE06-C | ||
CWE | : | 735 | ||
EADS-C | : | 9 | ||
HIC++ | : | 14.11 | ||
JSF++ AV | : | 27, 35 | ||
LMTCP | : | 33, 50 | ||
MISRA-AC | : | 19.15 | ||
MISRA-C++:2008 | : | 16-2-3 | ||
MISRA-C:2004 | : | 19.15 | ||
NETRINO | : | 4.2.b | ||
SEC-C | : | M4.4.6 |
This standard is not applicable to java.
The new and delete operators shall not be overloaded. Customising memory management by implementing different behaviour from the standard versions of the new and delete operators is considered dangerous.
// // Standard 244 S : new or delete overloaded. // A/Ref: // class X { public: X(); ~X(); static void *operator new(const size_t size); static void operator delete(void*); explicit X(const X &xx); X & operator=(const X &xx); protected: private: }; void foo(void) { // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The scope of a case or default label shall always be the compound statement which is the body of the switch statement. All case clauses and the default clause shall be at the same scope. Furthermore, every switch statement shall have at least one case clause.
typedef enum Choice { first, second, third, fourth } Choice; Choice chooser; /******************************************************** * Standard 245 S : Case statement in nested block. * A/Ref: 6.3.5.2 ********************************************************/ void foo(void) { switch (chooser) { case first: a1 = b1; break; case second: /* flow through to next case label */ case third: a1 = c1; if (a1 == b1) { /* case is not allowed here - not compliant */ case fourth: } break; default: errorflag = 1; break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
LMTCP | : | 343, 348 | ||
MISRA-AC | : | 15.1, 15.5 | ||
MISRA-C++:2008 | : | 6-4-4 | ||
MISRA-C:2004 | : | 15.1, 15.5 | ||
SEC-C | : | M1.3.2 |
Public, protected and private sections (in that order) shall be specified explicitly in the class declaration.
typedef unsigned int Uint_32; // // Standard 246 S : Class has missing access specifiers. // A/Ref: 5.1.7.1 & 5.1.7.2 // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); }; void foo(void) { // Statements... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
An invocation of a macro definition contains, as its parameter, a nested call to itself.
typedef signed int Sint_32; /******************************************************** * Standard 247 S : Macro definition calls itself. * A/Ref: ********************************************************/ #define COMMON_MACRO(X) (ANOTHER_MACRO(X)) #define SOME_MACRO(X) (NESTED_MACRO1(X)) #define NESTED_MACRO1(X) (NESTED_MACRO2(X)) #define NESTED_MACRO2(X) (COMMON_MACRO(X)) #define ANOTHER_MACRO(X) (X) const Sint_32 s1 = 42; void foo(void) { Sint_32 myInt = COMMON_MACRO(SOME_MACRO(s1)); } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
JPL | : | 8 |
This standard is not applicable to java.
A preprocessor directive has the potential to cause a divide by zero run-time failure. Explicit coding checks should be used to handle run-time faults.
/******************************************************** * Standard 248 S : Divide by zero in preprocessor directive. * A/Ref: ********************************************************/ #define DEBUG2 2 #define DEBUG1 0 #define COMMON_MACRO(X,Y) ((X)/(Y)) #if (COMMON_MACRO(DEBUG2,DEBUG1)) == 1 /* ... */ #endif void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The performed operation on a boolean type is not appropriate. Use of a boolean variable shall be restricted to logic statements which set/test the variable for discrete values representing a true or false state.
/************************************************************* * Standard 249 S : Operation not appropriate to boolean type. * A/Ref: *************************************************************/ bool bvar = false; void foo(void) { bvar ++; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 136 |
An include file <abc.h> contains an include for a file <xyz.h> which in return includes the first file <abc.h>.
This standard is not applicable to java.
Function declarations in stdio.h, defined in the C function libraries, should not be used in C++ programs. The iostream.h standard header file shall be used in preference.
#include <stdio.h> typedef unsigned int Uint_32; // // Standard 251 S : Use of stdio.h instead of iostream.h. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint32 personalNumber; }; void foo(void) { Person p1(10); } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Literal suffixes shall use uppercase rather than lowercase letters for readability.
typedef signed long Sint_64; /******************************************************** * Standard 252 S : Lower case suffix to literal number. * A/Ref: ********************************************************/ const Sint_64 fr1 = 64l; /* Avoid - looks too much like 641 */ const Sint_64 fr2 = 64L; /* Okay */ void foo(void) { Sint_64 x1 = fr2; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
An overloaded operator has been declared without its corresponding opposite type. For consistency, paired operators, such as < and > shall both be overloaded together.
typedef signed int Sint_32; // // Standard 253 S : Opposite type operator missing. // A/Ref: // class X { public: X(); bool operator <(const Sint_32 val) const; protected: private: }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
LMTCP | : | 130 |
This standard is not applicable to c and java.
The copy assignment operator shall return a reference to this.
typedef unsigned int Uint_32; // // Standard 254 S : Operator = doesn't return reference to *this. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); // by making return type const, cannot return ref to *this const Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; }; void foo(void) { Person p1(10); Person q1(11); q1 = p1; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Only the #ifndef, #define, #endif, and #include pre-processor directives shall be used. The use of the pre-processor should be limited to these directives in cases where it is necessary, e.g. to prevent multiple inclusions of the same header file.
#define DEBUG 1 #define DEBUG_ERROR 1 /******************************************************** * Standard 255 S : Found #if, #ifdef, #else, #elif. * A/Ref: ********************************************************/ #if DEBUG == 1 /* Debug at level 1 */ #ifdef DEBUG_ERROR /* Debug level 1 with error reporting */ #endif #elif DEBUG == 2 /* Debug at level 2 */ #else /* No Debug at level 1 or 2 */ #endif void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A procedure will contain no more than the specified pre-determined maximum number of logical lines of code. Long procedures tend to be complex and therefore difficult to comprehend and test.
The *** symbols refer to a user definable number for this standard, defaulting to 200. The configuration is made in the c/cpppen.dat file. Instructions for making alterations can be found in the manual.
Instead of counting logical lines, the number of pure source lines can be counted by configuring the modifier 203 in the c/cppreport.dat file. This will exclude blank or comment lines. Instructions for making alterations can be found in the report.dat file.
The #include directive shall use the <filename.h> notation to include header files. Although "filename.h" is typically used to include local header files, due to the divergence in vendor implementations, only the <filename.h> form will be used. For files not located in the source directory, relative pathnames may also be used.
/******************************************************** * Standard 257 S : Filename in #include not in < >. * A/Ref: ********************************************************/ #include <foo.h> /* Good */ #include "anotherFoo.h" /* Bad: "filename.h" form used */ void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Each class declaration should be held in a separate header file.
#ifndef STATIC_258_H #define STATIC_258_H typedef unsigned int Uint_32; typedef unsigned short Uint_16; // // Standard 258 S : More than one class in header file. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; }; class MalePerson : public Person { public: MalePerson(); explicit MalePerson(const Uint_32 personNum); MalePerson(const Uint_32 personNum, const Uint_16 weight); explicit MalePerson(const MalePerson &mperson); MalePerson & operator=(const MalePerson &mperson); ~MalePerson(); protected: private: Uint_16 weightAmount; }; #endif // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
For the sake of simplicity, readability and style, each statement shall be placed on a separate new line. Testbed inserts the required carriage return into the reformatted code to permit instrumentation. This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions.
typedef unsigned Uint_32; typedef signed int Sint_32; /**************************************************************** * Standard 259 S : Statement not on new line (added by Testbed). * A/Ref: ****************************************************************/ void foo(void) { Uint_32 x1; Sint_32 y1; x1 = 5U; y1 =7; /* Incorrect: multiple expression statements on the same line. */ y1 = 3; /* Correct. */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The compiler will provide a default constructor, but is not always appropriate because it does not initialise members that are of POD type. Defining a minimal standard interface comprising: a default constructor; a copy constructor, a copy assignment operator and a destructor for all classes ensures a more maintainable and extensible implementation.
This standard can be relaxed so that it only applies to classes with virtual functions by configuring the modifier 205 in the cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
typedef unsigned Uint_32; // // Standard 260 S : No default constructor declared for class. // class Person { public: Person(const Uint_32 pNumber); // Single parameter constructor... // but no default constructor. private: Uint_32 personalNumber; }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
Overloading or hiding non-virtual member functions can result in unexpected behaviour as non-virtual functions are statically bound. This results in the declaration type of the pointer or reference determining the selection of member functions and not what the pointer or reference is actually pointing at.
This standard can be further restricted to check for overloaded members with differing parameter types by configuring the modifier 379 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
// // Standard 262 S : Non virtual function redefined. // class Base { public: void myFunc(void); }; class Derived : public Base { public: void myFunc(void); }; void someFunc(void) { Derived derived; Base *base_ptr = &derived; Derived *derived_ptr = &derived; base_ptr->myFunc(); // Calls Base::myFunc despite pointing at Derived object! derived_ptr->myFunc(); } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The use of namespaces to specify multiple declarations of a type, object, function, etc. is prohibited on the basis that it is dangerous and confusing.
// // Standard 263 S : Namespace prohibited. // A/Ref: // namespace MySpace1 { class MyString { // ... }; } namespace MySpace2 { class MyString { // ... }; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The use of class templates is prohibited as they are regarded as dangerous.
// // Standard 264 S : Class template prohibited. // A/Ref: // template <class Atype> class tplate { public: tplate (); Atype getvalue (); void setvalue (Atype val); protected: private: Atype value; }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The use of function templates is prohibited as they are regarded as dangerous.
// // Standard 265 S : Function template prohibited. // A/Ref: // template <class Tplate> void sort(vector <Tplate> ); void myFunc(vector <complex> &cv, vector <int> &iv) { sort(cv); // invoke sort(vector <complex> ) sort(iv); // invoke sort(vector <int> ) } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Constructors should not be implicitly inlined by defining them in the class body. Inline functions that invoke other inline functions often become too complex for the compiler to handle - this is especially true of constructors and destructors.
typedef unsigned Uint_32; // // Standard 266 S : Constructor defined within class declaration. // A/Ref: 6.1.9.5 // class Person { public: Person(); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; public: explicit Person(const Uint_32 pNumber) // Constructor definition { personalNumber = pNumber; } }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Hexadecimal constants will be represented using all upper case letters.
This standard can be relaxed so as to allow a lower case x by configuring the modifier 208 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
/**************************************************************** * Standard 267 S : Hexadecimal number with lower case char. ****************************************************************/ typedef enum mask_enum_type { mask_first = 0X01, mask_all = 0xff /* not compliant */ } mask_enum_type; /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Null initialise expressions in for loops will not be used; a while loop will be used instead.
typedef unsigned int Uint_32; /**************************************************************** * Standard 268 S : Empty initialisation exprsn in for loop. * A/Ref: ****************************************************************/ void foo(void) { Uint_32 loop; Uint_32 myVar = 0; const Uint_32 max = 10U; /* ... */ for (; loop < max; loop++) { /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Null increment expressions in for loops will not be used; a while loop will be used instead.
typedef unsigned int Uint_32; /**************************************************************** * Standard 269 S : Empty increment exprsn in for loop. * A/Ref: ****************************************************************/ void foo(void) { Uint_32 loop; Uint_32 myVar = 0; const Uint_32 max = 10U; /* ... */ for (loop = 0; loop < max;) { /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 165 | ||
HIS | : | 66 | ||
JSF++ AV | : | 200 | ||
LMTCP | : | 350, 352 | ||
MISRA-AC | : | 13.5 | ||
MISRA-C:1998 | : | 66 | ||
MISRA-C:2004 | : | 13.5 | ||
SEC-C | : | M3.3.1 |
The initialisation expression in a for loop will perform no actions other than to initialise the value of a single for loop parameter.
This standard can be relaxed to permit function calls in the initialisation expression of a for loop by configuring the modifier 249 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /**************************************************************** * Standard 270 S : For loop initialisation is not simple. ****************************************************************/ void static_270(void) { UINT_32 loop; UINT_32 myVar = 0; const UINT_32 max = 10U; /* ... */ for (loop = 0, myVar = 1U; loop < max; loop++) { /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
HIS | : | 66 | ||
JSF++ AV | : | 198 | Modifiers : 249 = 1 | |
LMTCP | : | 351 | Modifiers : 249 = 1 | |
MISRA-AC | : | 13.5 | ||
MISRA-C:1998 | : | 66 | ||
MISRA-C:2004 | : | 13.5 | ||
SEC-C | : | M3.3.1 |
The increment expression in a for loop will perform no action other than to change a single loop parameter to the next value for the loop.
typedef unsigned int Uint_32; /**************************************************************** * Standard 271 S : For loop incrementation is not simple. * A/Ref: ****************************************************************/ void foo(void) { Uint_32 loop; Uint_32 myVar = 0; const Uint_32 max = 10U; /* ... */ for (loop = 0; loop < max; myVar++, loop++) { /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
HIS | : | 66 | ||
JSF++ AV | : | 199 | ||
LMTCP | : | 351 | ||
MISRA-AC | : | 13.5 | ||
MISRA-C++:2008 | : | 6-5-4 | ||
MISRA-C:1998 | : | 66 | ||
MISRA-C:2004 | : | 13.5 | ||
SEC-C | : | M3.3.1 |
The #ifndef and #endif pre-processor directives will only be used as part of the technique to prevent multiple inclusions of the same header file. It is preferable to use code rather than the #ifndef pre-processor directive in all other cases.
/************************************************************ * Standard 272 S : Found #ifndef (ref. removed). * A/Ref: 5.4.2.3 ************************************************************/ #ifndef STATIC_272_H #define STATIC_272_H #ifndef REPORT_ERRORS #define REPORT_WARNINGS #endif /* All declarations and definitions - excluded by the preprocessor if the file is included more than once. */ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The #define pre-processor directive will only be used as part of the technique to prevent multiple inclusions of the same header file. Using #define for inline macros and constants shall be avoided.
/************************************************************ * Standard 273 S : Found #define. * A/Ref: 5.4.2.3 ************************************************************/ #ifndef STATIC_273_H #define STATIC_273_H #define MYSQMACRO ((X) * (X)) /* All declarations and definitions - excluded by the preprocessor if the file is included more than once. */ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
In order that an identifier name be meaningful, it must be no shorter than the specified pre-determined minimum length.
typedef unsigned int Uint_32; /**************************************************************** * Standard 274 S : Name found with length less than ***. * A/Ref: ****************************************************************/ void foo(void) { Uint_32 x; /* Avoid - too short to be meaningful */ Uint_32 yCoordinate; /* Okay - a meaningful name */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Omission of a tag has the disadvantage that no further definitions of the structure, union or enum may be made later in the program code. Without a tag, the declaration cannot be referred to and definitions are not possible.
typedef unsigned int Uint_32; /**************************************************************** * Standard 275 S : Tag missing in struct, union or enum. * A/Ref: ****************************************************************/ struct /* Bad - tag missing */ { Uint_32 x_value; Uint_32 y_value; } pos_var; struct Position /* Good - struct tag included, allowing multiple definitions */ { Uint_32 anon_x_value; Uint_32 anon_y_Value; }; void foo(void) { pos_var.x = 0; pos_var.y = 0; struct Position first_pos = {1U, 1U}; struct Position second_pos = {2U, 1U}; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The switch statement contains a case constant expression which is not part of the switch chooser enumerated list of values. Case values shall be restricted to those identified in the enumeration.
typedef unsigned int Uint_32; typedef enum Seasons { spring, summer, autumn, winter } Seasons; Seasons season; Uint_32 x1; /**************************************************************** * Standard 276 S : Case is not part of switch enumeration. * A/Ref: ****************************************************************/ void foo(void) { switch (season) { case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; case 4: x1 = 10U; break; default: break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
GJB | : | 5.1.6 |
The switch chooser shall be an enumeration so that the list of possible values are well-defined and that the switch statement may be checked to cater for all expected cases.
typedef unsigned int Uint_32; Uint_32 season; Uint_32 x1; /**************************************************************** * Standard 277 S : Switch chooser is not an enumeration. * A/Ref: ****************************************************************/ void foo(void) { switch (season) { case 1: x1 = 1U; break; case 2: x1 = 4U; break; case 3: x1 = 7U; break; case 4: x1 = 10U; break; default: break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
There is a mismatch between the defined enumerated value list and the cases catered for by the switch statement. All switch statements that do not intend to test for every enumeration value shall, at least, contain a final default clause.
This standard can be relaxed to allow switch statements that do not test for every enumeration value, but have a default clause. This is done by configuring the modifier 233 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" typedef enum Seasons { spring, summer, autumn, winter } Seasons; Seasons season; UINT_32 x1; /**************************************************************** * Standard 278 S : Switch has missing or extra cases. ****************************************************************/ void static_278(void) { switch (season) { case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; default: break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
C++ exceptions shall not be used. The use of exceptions can lead to unexpected code branches, especially in library code which was not designed to handle exceptions. Also, other code may generate unexpected exceptions for which there is no handler.
typedef unsigned int Uint_32; // // Standard 279 S : Try keyword found. // A/Ref: 6.3.10.1 // void f(void) { // ... // Uint_32 type exception thrown here // ... } void g(void) { try { f(); } // ... // handle Uint_32 exceptions here... // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
C++ exceptions shall not be used. The use of exceptions can lead to unexpected code branches, especially in library code which was not designed to handle exceptions. Also, other code may generate unexpected exceptions for which there is no handler.
typedef unsigned int Uint_32; // // Standard 280 S : Catch keyword found. // A/Ref: 6.3.10.1 // void f(void) { // ... // Uint_32 type exception thrown here // ... } void g(void) { // ... // try used with f() // ... catch (Uint_32 &someInt) { // handle Uint_32 exceptions here... } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
C++ exceptions shall not be used. The use of exceptions can lead to unexpected code branches, especially in library code which was not designed to handle exceptions. Also, other code may generate unexpected exceptions for which there is no handler.
// // Standard 281 S : Throw keyword found. // A/Ref: 6.3.10.1 // void f(void) { throw Exception exception1; } void g(void) { // ... // try used with f() // ... // ... // handle Exception type exceptions here... // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
Avoid the use of mutable where possible. The 'mutable' keyword can be used to declare member data which can be modified in const functions, this should only be used where the member data does not affect the externally visible state of the object.
typedef unsigned int Uint_32; // // Standard 282 S : Mutable keyword found. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person); explicit Person(const Person &person); ~Person(); Uint_32 bar(void) const; protected: private: Uint_32 personalNumber; mutable Uint_32 pNum; }; Uint_32 Person::bar(void) const { // ... // ok to amend pNum here, even though this is a const member function // ... return pNum; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
EADS-C++ | : | 6 |
This standard is not applicable to c and java.
Multiple direct inheritance describes an inheritance structure where more than one direct base class appears in the base list of a derived class declaration.
Multiple inheritance can lead to complicated inheritance hierarchies that are difficult to comprehend and maintain.
// // Standard 283 S : Multiple direct inheritance found. // A/Ref: // class AClass { public: AClass(); explicit AClass(const AClass &ac); AClass& operator=(const AClass &ac); ~AClass(); protected: private: }; class AAClass { public: AAClass(); explicit AAClass(const AAClass &aac); AAClass& operator=(const AAClass &aac); ~AAClass(); protected: private: }; class BClass : public AClass, public AAClass // direct multiple inheritance { public: BClass(); explicit BClass(const BClass &bc); BClass& operator=(const BClass &bc); ~BClass(); protected: private: }; class CClass : public BClass // indirect multiple inheritance { public: CClass(); explicit CClass(const CClass &cc); CClass& operator=(const CClass &cc); ~CClass(); protected: private: }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
A cast preceded by a cast is likely to result in a redundant stage of conversion in the statement.
typedef unsigned short Uint_16; typedef unsigned int Uint_32; typedef unsigned long Uint_64; /******************************************* * Standard 284 S : Cast preceded by a cast. * A/Ref: *******************************************/ void foo(Uint_16 original) { Uint_64 myInt; myInt = (Uint_64)(Uint_32)original; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Declarations of classes need not be included in files that only access the class via pointers or references. The declaration should be supplied by forward headers that contain forward declarations, thereby limiting implementation dependencies, maintenance effort and compile time. Classes for which member definitions have been provided, or contain a class, or nested within another class, or used as a base, are exempt from this penalty.
typedef unsigned int Uint_32; // // Standard 285 S : Class definition not needed in file. // A/Ref: // class Person { public: Person(); protected: private: Uint_32 personalNumber; }; void foo(Person &person) { // Statements... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
Header files shall not contain function definitions. A definition may not be suitable for all files which include the header file.
Header files should typically contain interface declarations - not implementation details.
This standard can be relaxed to allow inline definitions in header files by configuring the modifier 238 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#ifndef STATIC_286_H #define STATIC_286_H /* Some declarations... */ typedef unsigned int Uint_32; void static_286(void); /**************************************************** * Standard 286 S : Functions defined in header file. ****************************************************/ void static_286(void) /* not compliant */ { /* Statements... */ } #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
JSF++ AV | : | 39 | Modifiers : 238 = 1 | |
LMTCP | : | 57, 204 | Modifiers : 238 = 1 | |
MISRA-AC | : | 8.5 | ||
MISRA-C++:2008 | : | 3-1-1 | Modifiers : 238 = 1 | |
MISRA-C:2004 | : | 8.5 | ||
NETRINO | : | 4.2.c | ||
SEC-C | : | M4.4.5 |
This standard is not applicable to java.
Header files shall not contain variable definitions. A definition may not be suitable for all files which include the header file. Header files should typically contain interface declarations - not implementation details.
This standard can be relaxed to allow const declarations by configuring the modifier 250 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#ifndef STATIC_287_H #define STATIC_287_H /* Some declarations... */ typedef unsigned int Uint_32; /******************************************************* * Standard 287 S : Variable definitions in header file. *******************************************************/ const Uint_32 const_var = 99U; /* not compliant, but permitted with modifier 250 */ Uint_32 myVar = const_var; /* not compliant */ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
JSF++ AV | : | 39 | Modifiers : 250 = 1 | |
LMTCP | : | 57, 204 | Modifiers : 250 = 1 | |
MISRA-AC | : | 8.5 | ||
MISRA-C++:2008 | : | 3-1-1 | ||
MISRA-C:2004 | : | 8.5 | ||
NETRINO | : | 4.2.c | ||
SEC-C | : | M4.4.5 |
This standard is not applicable to java.
By convention, header files shall end with the extension '.h'.
This standard can be relaxed to allow the '.hpp' extension by configuring the modifier 301 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "static_288.x" /* not compliant */ #include "static_288.hpp" /* not compliant, but permitted by modifier 301 */ /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Each header file shall include no more than one class declaration (see S 258), and, if it does indeed contain a class declaration, the header file name should reflect its content by containing the name of the class.
#ifndef STATIC_289_H #define STATIC_289_H typedef unsigned int Uint_32; // // Standard 289 S : Header file name does not include class name. // A/Ref: // class Person { public: Person(); protected: private: Uint_32 personalNumber; }; #endif // // // Copyright (c) 2006 Liverpool Data Research Associates // //
JSF++ AV | : | 55 |
This standard is not applicable to c and java.
C++ source code files that contain the definition of a particular class (or struct) shall have a name that reflects the content and contain the defined class name. Note, that for files that contain definitions for more than one class, or specialisations of a templated class, this penalty is not applicable.
JSF++ AV | : | 56 |
This standard is not applicable to c.
When declaring and defining functions, the leading parenthesis and the first argument will be written on the same line as the function name. Each additional argument will be written on a separate line (with the closing parenthesis directly after the last argument) to promote readability and a consistent style.
typedef unsigned int Uint_32; // // Standard 291 S : First parameter not on same line as function. // A/Ref: // void someFunc( Uint_32 &firstParam, Uint_32 &secondParam) { // Statements ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
The #include directive shall be followed by either a <filename> or "filename" sequence, and separated by a space.
/********************************************************** * Standard 292 S : No space between #include and filename. * A/Ref: **********************************************************/ #include <foo.h> /* Good */ #include <anotherFoo.h> /* Incorrect: no space */ void myFunc(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
All code constructs shall be ANSI compliant, i.e. conform to the ISO C/C++ Standard.
In order to support portability and compiler compatibility, avoid compiler specific language or pre-processor extensions.
To enable this penalty the user must indicate to what extent the check should be performed. The C/CPPVALS.DAT file provides a mechanism to select specific extensions to the language through the 165 record entry. For example, extensions supported under a particular language dialect may be checked in isolation:
165 4GREEN 4 indicates dialect-specific, and GREEN (Green Hills) is the name of the dialect
// // Standard 293 S : Non Ansi construct used. // A/Ref: // void check_ansi(void) { float64 ff; // Compiler-specific language extension // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
EADS-C | : | 135 | ||
HIC++ | : | 13.4 | ||
HIS | : | 1 | ||
JSF++ AV | : | 8 | ||
LMTCP | : | 8, 402, 403 | ||
MISRA-AC | : | 1.1 | ||
MISRA-C:1998 | : | 1 | ||
MISRA-C:2004 | : | 1.1 | ||
NETRINO | : | 1.1.a, 1.1.b |
This standard is not applicable to java.
Namespaces will not be nested more than a pre-determined maximum number of levels deep. Deeply nested namespaces can be difficult to comprehend and use correctly.
// // Standard 294 S : Namespace nested more than *** deep. // namespace MySpace1L1 { namespace MySpace1L2 { namespace MySpace1L3 { class MyString { public: // ... protected: //... private: //... }; } } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Digraphs are special two character sequences that are translated into specific single characters like { or #.
Digraphs, and specifically the alternatives for: { } [ ] # ##, will not be used. The use of digraphs leads to poor readability of code.
// // Standard 295 S : Use of digraph. // A/Ref: // void foo(void) <% // Represents { //... %> // Represents } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
Functions shall always be declared at file scope. Declaring functions at block scope may be confusing, and can lead to undefined behaviour.
/**************************************************** * Standard 296 S : Function declared at block scope. * A/Ref: ****************************************************/ void foo(void) { void bar(void); /* Statements ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 758 | ||
HIS | : | 68 | ||
JSF++ AV | : | 107 | ||
LMTCP | : | 202 | ||
MISRA-AC | : | 8.6 | ||
MISRA-C++:2008 | : | 3-1-2 | ||
MISRA-C:1998 | : | 68 | ||
MISRA-C:2004 | : | 8.6 |
This standard is not applicable to java.
Only declare trivial functions 'inline'. Limit inline member functions to the pre-determined maximum number of source lines.
Inline functions do not necessarily improve performance and they can have a negative effect. Inappropriate use will lead to longer compilation times, slower runtime performance and larger binaries.
typedef unsigned int Uint_32; const Uint_32 agelimit = 18U; const Uint_32 junior = 0; // // Standard 297 S : Inline member has more than *** source lines. // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; public: void adjustNum(void) { if (personNumber < agelimit) { personalNumber = junior; } } }; void foo(void) { Person p1(10); p1.adjustNum(); //... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Non const pointers to functions shall not be used. There is a danger that a pointer whose value is calculated at run-time, may, due to an error, point to an arbitrary location.
Furthermore pointers to functions cause problems with dependence on the order in which function-designator and function arguments are evaluated when calling functions.
typedef unsigned int Uint_32; Uint_32 drawline(Uint_32 length); /************************************************* * Standard 298 S : Non const pointer to function. * A/Ref: 6.1.6.6 *************************************************/ /* * Define a pointer to a function * with an 'unsigned int' as a parameter. */ typedef Uint_32 (*fptr)(Uint_32 len); /* Should be const */ /* Now assign a function address to the pointer... */ void foo(void) { /* Invoke the function through the function pointer... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
NETRINO | : | 1.8.b |
This standard is not applicable to java.
A typedef will be used to simplify program syntax when declaring function pointers.
typedef unsigned int Uint_32; Uint_32 drawline(Uint_32 length); /**************************************************************** * Standard 299 S : Pointer to function declared without typedef. * A/Ref: 6.1.6.4 ****************************************************************/ /* * Define a pointer to a function * with an 'unsigned int' as a parameter. */ Uint_32 (*fptr)(Uint_32 len); /* Should be a typedef */ /* Now assign a function address to the pointer... */ void foo(void) { /* Invoke the function through the function pointer... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
C++ source code files shall end with the extension '.cpp'.
This standard is not applicable to c and java.
When using braces to define the structure of the code, matching pairs shall be vertically aligned in the same column.
typedef unsigned int Uint_32; const Uint_32 limit = 32U; /**************************************************** * Standard 301 S : } not aligned vertically below {. * A/Ref: ****************************************************/ void foo(Uint_32 myParam) { if (myParam > limit) { myParam = limit; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Code that is not used (commented out) shall be deleted unless it is part of an explanation. The block commenting of code can lead to the inadvertent omission of more than was intended.
typedef unsigned int Uint_32; const Uint_32 limit = 32U; /**************************************************** * Standard 302 S : Comment possibly contains code. * A/Ref: ****************************************************/ void foo(Uint_32 myParam) { if (myParam > limit) { myParam = limit; /* myParam--;*/ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | MSC04-C | ||
CMSE | : | 10.2.1 | ||
DERA | : | 10 | ||
EADS-C | : | 32, 168 | ||
GJB | : | 4.10.2.1 | ||
HIS | : | 10 | ||
JSF++ AV | : | 127 | ||
LMTCP | : | 238 | ||
MISRA-AC | : | 2.4 | ||
MISRA-C++:2008 | : | 2-7-2, 2-7-3 | ||
MISRA-C:1998 | : | 10 | ||
MISRA-C:2004 | : | 2.4 | ||
NETRINO | : | 2.1.c | ||
NIST-CWE | : | 489 |
All base classes with a virtual function shall define a virtual destructor. If the base class destructor is not virtual, and an attempt to destroy an object (of a derived class) is made through a pointer to its base class, the destructor for the base class will be invoked rather than the derived base class destructor.
In most cases, destructors should be virtual, because maintenance or reuse may add derived classes that require a virtual destructor.
By default, the violation is associated with the base class, but it can be associated with the derived classes by by configuring the modifier 292 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
// // Standard 303 S : Virtual class members need virtual destructor. // class Base { public: Base(); explicit Base(const Base &base); Base & operator=(const Base &base); virtual void myFunc(void); ~Base(); // should be virtual... protected: private: }; /* not compliant */ class Derived : public Base { public: Derived(); explicit Derived(const Derived &derived); Derived & operator=(const Derived &derived); virtual void myFunc(void); virtual ~Derived(); protected: private: }; void someFunc(void) { Derived *derived_ptr = new Derived(); Base *base_ptr = derived_ptr; //... delete base_ptr; // Does not call derived destructor! } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Arithmetic on unsigned values shall not be performed - so that potential mixed arithmetic or comparison operations between unsigned and signed values be avoided.
typedef unsigned int Uint_32; const Uint_32 scale = 32U; /*********************************************************** * Standard 304 S : Arithmetic performed on unsigned values. * A/Ref: ***********************************************************/ void foo(Uint_32 myParam) { myParam = myParam * scale; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
A spurious inspect annotation for a particular standard is present in the code. The line should be removed to avoid confusion and aid readability.
typedef unsigned int Uint_32; const Uint_32 scale = 32U; /************************************************************* * Standard 305 S : Unused inspect annotation for standard ... * A/Ref: *************************************************************/ /*LDRA_INSPECTED 303 S*/ void foo(Uint_32 myParam) { myParam = myParam * scale; /* this actually triggers penalty 304 S not 303 S*/ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
C++ style casts (const_cast, reinterpret_cast, and static_cast) shall be used instead of traditional C type casts. A C++ style cast is easier to locate in large programs and makes the intended conversion explicit.
typedef unsigned short Uint_16; typedef unsigned long Uint_64; // // Standard 306 S : Use of C type cast. // A/Ref: 6.2.4 // void foo(Uint_16 *original) { Uint_64 myInt; myInt = (Uint_64) *original; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
Only specific pre-processor directives shall be used, namely: #ifndef #define #endif #include, and only in those cases where it is necessary.
typedef unsigned int Uint_32; const Uint_32 limit = 32U; /**************************************************************** * Standard 307 S : Use of #LINE, #ERROR preprocessor directives. * A/Ref: ****************************************************************/ void foo(Uint_32 myParam) { if (myParam > limit) { #error } else { #line 4 myOtherFile.c myParam++; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The de-reference operator '*' and the address-of operator '&' will be directly connected with the type-specifier. Although attachment to name is also valid, heavy emphasis on types in C++ suggests that attachment to type is the preferable form.
typedef unsigned short Uint_16; // // Standard 309 S : Asterisk or ampersand not attached to type. // A/Ref: // void foo(Uint_16 *my_int_ptr) { // Statements... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
Arrays shall not be passed as parameters. The degeneration of arrays to pointers when passed as parameters is often the source of errors. Array bounds checking is not performed on C-style arrays and undefined behaviour may arise from an attempt to access memory outside the bounds of an array.
C++ classes that enforce appropriate bounds should be used.
typedef unsigned short Uint_16; // // Standard 310 S : Array parameter found. // A/Ref: // void foo(Uint_16 my_int_array[]) { // Statements... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Every non-local name, except main(), should be placed in some namespace. The unnamed namespace may be used to make non-member functions, which are not part of the external interface, non-linkable from other translation units.
typedef unsigned int Uint_32; Uint_32 outside_namespace_int; // not in a namespace - not ok const Uint_32 initial_int = 0; // not in a namespace - not ok namespace MySpace { // // Standard 311 S : Non local declaration not in a namespace. // A/Ref: // Uint_32 inside_namespace_int; // inside namespace - ok void foo(void) { inside_namespace_int = initial_int; //... } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
All letters contained in function names will be composed entirely of lower case letters as a matter of style.
A deviation from this standard, and standards 313 S and 318 S, can be permitted where a specific upper case acronym or identifier must be part of the name. See S 318 for details.
// // Standard 312 S : Function name is not all lower case. // A/Ref: // void fooBar(void) { //... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
All letters contained in variable names will be composed entirely of lower case letters as a matter of style.
A deviation from this standard, and standards 312 S and 318 S, can be permitted where a specific upper case acronym or identifier must be part of the name. See S 318 for details.
typedef unsigned int Uint_32; // // Standard 313 S : Variable name is not all lower case. // A/Ref: // void foo_bar(void) { Uint_32 myVar; //... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
JSF++ AV | : | 51 |
All switch statements will have at least two cases and a potential default. Alternatively the use of an if statement provides a more natural representation.
typedef unsigned int Uint_32; typedef enum FavouriteSeasons { spring } FavouriteSeasons; FavouriteSeasons season; Uint_32 x1; /****************************************************** * Standard 314 S : Switch has only 1 case and default. * A/Ref: ******************************************************/ void foo(void) { switch (season) { case spring: x1 = 1U; break; default: break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Spaces will not be used around the . operator.
typedef unsigned int Uint_32; /************************************************* * Standard 315 S : Blank before/after . operator. * A/Ref: *************************************************/ const Uint_32 xstart = 1U; const Uint_32 yend = 240U; typedef struct Position { Uint_32 xValue; Uint_32 yValue; } Position; void foo(void) { Position myPos; myPos .xValue = xstart; /* Blank before */ myPos. yValue = yend; /* Blank after */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Bit fields shall have explicitly unsigned integral types only. Explicitly declaring a bit field unsigned prevents unexpected sign extension or overflow.
#include "c_standards.h" /****************************************************** * Standard 316 S : Bit field is not unsigned integral. ******************************************************/ typedef struct Message { SINT_32 x_set:0x4; UINT_32 y_set:0x4; } Message; void static_316(void) { Message message_chunk; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The first word of the name of a class, structure, namespace, enumeration, or type created with typedef will begin with an uppercase letter. All other letters will be lowercase.
typedef unsigned int uint_32; /* bad */ /************************************************************** * Standard 317 S : Typedef name starts with lower case letter. * A/Ref: **************************************************************/ typedef struct Position /* good */ { uint_32 x_value; uint_32 y_value; } Position; void foo(void) { Position my_pos; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The first word of the name of a class, structure, namespace, enumeration, or type created with typedef may begin with an upper case or lower case letter. All other letters will be lower case.
A deviation from this standard, and standards 312 S and 313 S, can be permitted where a specific upper case acronym or identifier must be part of the name. If names incorporating upper case acronyms or identifiers are required, the acronyms may be specified in the c/cpptbend.dat file:
.. 0 Text for acronyms 3 ZZZ This may be removed or replaced by required acronyms 4 ACRO 3 RGB 0 <end of acronyms> ..
In addition, the modifier 256 must be set in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
Acronyms within a name must be either at the start or end of the name, or separated by one or more underscore (_) characters from other parts of the name.
typedef unsigned int UINT_32; /* Not compliant */ /*********************************************************** * Standard 318 S : Name letters after first not lower case. ***********************************************************/ typedef struct Position { UINT_32 x_value; UINT_32 y_value; } Position; /* Ok */ typedef enum Colour_RGB { red, green, blue } Colour_RGB; /* Ok */ typedef struct ACRORGB { UINT_32 red_el; UINT_32 green_el; UINT_32 blue_el; } ACRORGB; /* Not compliant - not separated by an underscore */ void static_318(void) { Position my_pos; Colour_RGB col = red; ACRORGB my_col_struct; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Each constructor must provide values for all member data items, either via an initialisation list or through assignment in the body of the constructor.
It is more efficient to perform the initialisation through the initialisation list rather than through assignment in the body of the constructor. This standard can be further restricted to enforce the use of initialisation rather than assignment by configuring the modifier 237 in the cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" // // Standard 319 S : Constructor has insufficient initialisers. // class Person { public: Person(); explicit Person(const UINT_32 &person); Person & operator=(const Person &person); ~Person(); protected: private: UINT_32 personalNumber; UINT_32 personAge; }; Person::Person(const UINT_32 &pNum ) : personalNumber(pNum) { //personAge is not given a value } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A default case shall be added at the end of each switch statement to trap all unspecified cases and remove the possibility of runtime errors occurring. Any further case statement placed after a default case should be removed or replaced at an earlier position.
typedef unsigned int Uint_32; typedef enum FavouriteSeasons { spring, summer, autumn, winter } FavouriteSeasons; FavouriteSeasons season; Uint_32 x1; /****************************************************** * Standard 322 S : Default is not last case of switch. * A/Ref: ******************************************************/ void foo(void) { switch (season) { case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; default: break; case winter: x1 = 10U; break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
A default case shall be added at the end of each switch statement to trap all unspecified cases and remove the possibility of runtime errors occurring. Any further default case statement placed after the first default case is redundant and should be removed.
typedef unsigned int Uint_32; typedef enum FavouriteSeasons { spring, summer, autumn, winter } FavouriteSeasons; FavouriteSeasons season; Uint_32 x1; /********************************************************* * Standard 323 S : Switch has more than one default case. * A/Ref: *********************************************************/ void foo(void) { switch (season) { case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; case winter: x1 = 10U; break; default: break; default: break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 163 |
A function-like macro shall not be invoked without all of its arguments.
typedef signed int Sint_32; /************************************************************* * Standard 324 S : Macro call has wrong number of parameters. *************************************************************/ #define COMMON_MACRO(X, Y) ((X) * (Y)) const Sint_32 s1 = 42; void foo(void) { Sint_32 myInt = COMMON_MACRO(s1); } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
No tag name shall be reused either to define a different tag or for any other purpose within the program.
typedef signed int Sint_32; typedef signed char Char; /******************************************* * Standard 325 S : Inconsistent use of tag. *******************************************/ void foo(void) { { struct tag_name { Sint_32 tag_component2; } tag_name2; /* ... */ } { union tag_name /* Not Compliant */ { Sint_32 tag_component3; Char tag_component4; } tag_name3; /* ... */ } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Data types shall be explicitly stated.
typedef signed int Sint_32; /*********************************************** * Standard 326 S : Declaration is missing type. ***********************************************/ static foo(void); /* Non-compliant - implicit type */ static Sint_32 bar(void); /* Compliant - explicit type */ /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names for struct or class members shall not be reused in another construct. Reusing identifier names leads to code which is confusing.
typedef signed int Sint_32; const Sint_32 init_val = 12; /******************************************************** * Standard 327 S : Reuse of struct or class member name. ********************************************************/ struct I_var_a { Sint_32 ip1; Sint_32 ip2; } struct I_var_b { Sint_32 ip2; /* Reuse! */ Sint_32 ip3; Sint_32 ip4; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Structures containing sets of bits shall not include any other data within the same structure.
typedef unsigned int Uint_32; /*********************************************************** * Standard 328 S : Non bit field member in bitfield struct. ***********************************************************/ typedef struct Message { Uint_32 x_set:0x4; Uint_32 y_set:0x4; Uint_32 z_set; } Message; void foo(void) { Message message_chunk; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Do not use plain char type when declaring objects that are subject to numeric operations. In this case always use an explicit signed char or unsigned char declaration.
typedef unsigned char Byte; /*********************************************************** * Standard 329 S : Operation not appropriate to plain char. ***********************************************************/ void foo(char ic_byte) { ic_byte++; /* bad - plain char used for numeric operation */ /* ... */ Byte og_byte; /* good - use a 'signed/unsigned char' typedef... */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT07-C | ||
CERT-J | : | FIO32-J | ||
CWE | : | 327, 682 | ||
HIC++ | : | 8.4.5 | ||
LMTCP | : | 11, 267 | ||
MISRA-AC | : | 6.1 | ||
MISRA-C++:2008 | : | 4-5-3 | ||
MISRA-C:2004 | : | 6.1 | ||
NETRINO | : | 5.2.c | ||
SEC-C | : | P1.3.1 |
This standard is not applicable to java.
There shall be no implicit conversions between expressions of one underlying type to another. Specifically this penalty highlights conversions from wider to narrower types.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned short Uint_16; typedef unsigned int Uint_32; /********************************************************** * Standard 330 S : Implicit conversion of underlying type. **********************************************************/ Uint_16 u16a = 0U; Uint_32 u32a = 0U; void bar(void) { u16a = u32a; /* implicit cast to a narrower type */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 192 | Modifiers : 191 = 1 | |
MISRA-AC | : | 10.1, 10.2 | ||
MISRA-C:2004 | : | 10.1, 10.2 | ||
NETRINO | : | 5.3.c, 5.4.b |
This standard is not applicable to java.
A U suffix shall be applied to all constants of unsigned type.
This standard can be relaxed to allow zero literal values without a U by configuring the modifier 358 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
The standard can be further restricted to check for the use of signed literal values in array declarations by configuring the modifier 309.
#include "c_standards.h" /***************************************************** * Standard 331 S : Literal value requires a U suffix. *****************************************************/ void static_331(void) { UINT_32 x1 = 5; /* not compliant */ UINT_32 y1 = 6U; UINT_64 z1 = 0; /* not compliant, but permitted by modifier 358 */ y1 = y1 * 7; /* not compliant */ /* Integer constant '7' should be '7U' when forming part of an expression containing unsigned int types. */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT13-C | ||
CWE | : | 195 | Modifiers : 358 = 1 | |
DERA | : | 18 | ||
EADS-C++ | : | 23 | ||
HIC++ | : | 6.1 | ||
HIS | : | 18 | ||
MISRA-AC | : | 10.6 | ||
MISRA-C++:2008 | : | 5-0-4 | ||
MISRA-C:1998 | : | 18 | ||
MISRA-C:2004 | : | 10.1 | ||
SEC-C | : | M1.2.2 |
This standard is not applicable to java.
An explicit cast to a wider underlying type shall not be performed on the value of a complex integer expression. Conversions on complex expressions are often a source of confusion.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned short Uint_16; typedef unsigned int Uint_32; /*************************************************************** * Standard 332 S : Widening cast on complex integer expression. ***************************************************************/ Uint_16 u16a = 40000U; Uint_16 u16b = 30000U; void foo(void) { Uint_32 u32 = (Uint_32) (u16a + u16b); /*...*/ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT02-C | ||
CERT-J | : | INT03-J | ||
CWE | : | 192 | ||
LMTCP | : | 365 | ||
MISRA-AC | : | 10.3 | ||
MISRA-C++:2008 | : | 5-0-8 | ||
MISRA-C:2004 | : | 10.3 |
An explicit cast to a wider float type shall not be performed on the value of a complex float expression. Conversions on complex expressions are often a source of confusion.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef float Float_32; typedef double Float_64; /************************************************************* * Standard 333 S : Widening cast on complex float expression. *************************************************************/ Float_32 f32a = 4.0F; Float_32 f32b = 3.0F; void foo(void) { Float_64 f64 = (Float_64) (f32a + f32b); /*...*/ } /* * * Copyright (c) 2006 Liverpool Data Research Associates *
The result of applying the bit-wise operator ~ or << to an operand of underlying type unsigned char or unsigned short shall be immediately cast to the underlying type of the operand. The effect of any unanticipated behaviour due to high order bits introduced through integral promotion is then avoided.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned short Uint_16; typedef unsigned char Uint_8; /*************************************************************** * Standard 334 S : No cast when ~ or << applied to small types. ***************************************************************/ Uint_8 port = 0x5aU; Uint_16 mode = 0xffff; Uint_16 result_16; Uint_16 another_result_16; void foo(void) { result_16 = ((port << 4) & mode) >> 6; /* no cast !*/ another_result_16 = ((Uint_16)((Uint_16)port << 4) & mode) >> 6; /* correct casting, albeit widening... */ /*...*/ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT02-C | ||
CWE | : | 192, 197 | Modifiers : 191 = 1 | |
LMTCP | : | 298 | ||
MISRA-AC | : | 10.5 | ||
MISRA-C++:2008 | : | 5-0-10 | ||
MISRA-C:2004 | : | 10.5 | ||
SEC-C | : | R2.5.3 |
This standard is not applicable to java.
The operator defined shall not process any expression other than a macro identifier, which has either previously been defined or has not been previously defined.
typedef unsigned int Uint_32; const Uint_32 max_value = 255U; /*********************************************************** * Standard 335 S : operator defined contains illegal items. ***********************************************************/ #if defined(X > Y) /* undefined behaviour, not permitted */ /* ... */ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 736, 758 | ||
HIS | : | 100 | ||
LMTCP | : | 42 | ||
MISRA-AC | : | 19.14 | ||
MISRA-C++:2008 | : | 16-1-1 | ||
MISRA-C:1998 | : | 100 | ||
MISRA-C:2004 | : | 19.14 | ||
SEC-C | : | M4.7.4 |
This standard is not applicable to java.
The defined operator shall not be included in a #if pre-processor directive through macro expansion substitution.
typedef unsigned int Uint_32; const Uint_32 max_value = 255U; /********************************************************** * Standard 336 S : #if expansion contains define operator. **********************************************************/ #define DEFINED defined #if DEFINED(X) /* undefined behaviour, not permitted */ /* ... */ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 758 | ||
HIS | : | 100 | ||
LMTCP | : | 42, 411 | ||
MISRA-AC | : | 19.14 | ||
MISRA-C++:2008 | : | 16-1-1 | ||
MISRA-C:1998 | : | 100 | ||
MISRA-C:2004 | : | 19.14 | ||
SEC-C | : | M4.7.4 |
This standard is not applicable to java.
Macro identifiers specified in #if pre-processor directive shall be defined before use.
/*************************************************** * Standard 337 S : Undefined macro variable in #if. ***************************************************/ #if DEBUG1 /* do something */ #else /* do something else */ #endif void foo(void) { /*...*/ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A #include statement shall only be preceded by other pre-processor directives or comments.
typedef unsigned int Uint_32; #include /*************************************************************** * Standard 338 S : #include preceded by non preproc directives. ***************************************************************/ void foo(void) { /*...*/ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A comment shall not appear between the pre-processor directive #include and the associated header filename.
/********************************************************** * Standard 339 S : #include directive with illegal items. * A/Ref: **********************************************************/ #include <foo.h> /* Good */ #include /* comment */ "bar.h" void myFunc(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The #define pre-processor directive shall not be used to create inline macros. Inline functions shall be used instead.
typedef signed int Sint_32; /********************************************** * Standard 340 S : Use of function like macro. **********************************************/ #define COMMON_MACRO(X, Y) ((X) * (Y)) const Sint_32 s1 = 42; const Sint_32 s2 = 7; Sint_32 foo(void) { Sint_32 myInt = COMMON_MACRO(s1, s2); return myInt; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | PRE00-C | ||
EADS-C++ | : | 48 | ||
HIC++ | : | 14.15 | ||
HIS | : | 93 | ||
JSF++ AV | : | 29 | ||
LMTCP | : | 35 | ||
MISRA-AC | : | 19.7 | ||
MISRA-C++:2008 | : | 16-0-4, 16-2-1 | ||
MISRA-C:1998 | : | 93 | ||
MISRA-C:2004 | : | 19.7 | ||
NETRINO | : | 6.3.a | ||
SEC-C | : | E1.1.1, M5.1.3 |
This standard is not applicable to java.
Pre-processor constructs shall not be used as arguments to a function-like macro. Macro expansion substitution may lead to unpredictable behaviour.
#define S1 typedef signed int Sint_32; /************************************************************* * Standard 341 S : Preprocessor construct as macro parameter. *************************************************************/ #define COMMON_MACRO(X) (X) Sint_32 foo(void) { Sint_32 my_int = COMMON_MACRO( #ifdef S1 1 #else 2 #endif ); return my_int; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 758 | ||
HIS | : | 95 | ||
JPL | : | 8 | ||
LMTCP | : | 47 | ||
MISRA-AC | : | 19.9 | ||
MISRA-C++:2008 | : | 16-0-5 | ||
MISRA-C:1998 | : | 95 | ||
MISRA-C:2004 | : | 19.9 |
This standard is not applicable to java.
Ensure that pre-processor directives are not followed by any character other than white-space. All pre-processor directives shall be syntactically valid even when they occur within an excluded block of code.
#define DIAGS typedef enum Flag { on, off } Flag; /************************************************************ * Standard 342 S : Extra chars after preprocessor directive. ************************************************************/ Flag x1; #ifdef DIAGS x1 = on; #else1 /* incorrect syntax */ x1 = off; #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A series of pre-processor directives that control the inclusion and exclusion of blocks of statements shall reside in the same file.
#define DEBUG1 1 /********************************************************** * Standard 343 S : #else has no #if, etc in the same file. **********************************************************/ #if DEBUG1 == 1 #include "static_343.h" /* * * Copyright (c) 2006 Liverpool Data Research Associates * */ /********************************************************** * Standard 343 S : #else has no #if, etc in the same file. **********************************************************/ /* do nothing */ #else /* do something */ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Avoid casting away volatile qualification as this may cause the compiler to perform optimisations that are not valid, leading to unexpected results in optimised builds.
typedef unsigned int Uint_32; /****************************************** * Standard 344 S : Cast on volatile value. ******************************************/ volatile Uint_32 *y1; Uint_32 *y2 = (Uint_32 *)y1; /* not compliant - cast to ... a pointer to non-volatile int */ /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | EXP32-C | ||
CWE | : | 704 | ||
HIC++ | : | 7.3 | ||
LMTCP | : | 328, 334 | ||
MISRA-AC | : | 11.5 | ||
MISRA-C++:2008 | : | 5-2-5 | ||
MISRA-C:2004 | : | 11.5 | ||
SEC-C | : | R2.7.2 |
No floating-point manipulations shall be made which rely on the way the values are stored. The storage of floating-point numbers is compiler-dependent, and as such should be hidden from the programmer by the use of in-built operators and functions.
typedef unsigned char Uint_8; /************************************************************ * Standard 345 S : Bit operator with floating point operand. ************************************************************/ void foo(float fl1) { Uint_8 bitmap = ~fl1; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
HIC++ | : | 10.11, 13.6 | ||
HIS | : | 16 | ||
LMTCP | : | 262 | ||
MISRA-AC | : | 12.12 | ||
MISRA-C++:2008 | : | 3-9-3 | ||
MISRA-C:1998 | : | 16 | ||
MISRA-C:2004 | : | 12.12 |
Bit-fields shall have explicitly unsigned integral or enumeration types only. An explicit unsigned declaration prevents unexpected sign extension or overflow.
Note that this standard is only enabled with the JSF++ AV programming model or by configuring the modifier 234 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" typedef enum Range { first, second, third } Range; /*********************************************************** * Standard 346 S : Bit field is not unsigned integral or enum type. ************************************************************/ typedef struct Message { UINT_32 ui_set:0x4; UCHAR uc_set:0x1; SINT_32 si_set:0x4; /* not compliant */ FLOAT_32 y_set:0x8; /* not compliant */ Range z_set:0x2; } Message; void static_346(void) { Message message_chunk; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
JSF++ AV | : | 154 | Modifiers : 234 = 1 |
No spaces shall be inserted between a function-like macro identifier and its parenthesised parameter list.
typedef signed int Sint_32; /********************************************************** * Standard 347 S : Macro parameter list has leading space. **********************************************************/ #define PENALTY_MACRO (XIN, YIN) ((XIN) * (YIN)) #define GOOD_MACRO(XIN, YIN) ((XIN) + (YIN)) const Sint_32 s1 = 42; const Sint_32 s2 = 7; Sint_32 foo(void) { Sint_32 myInt = GOOD_MACRO( s1, s2); return myInt; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A pointer shall not be compared to NULL or be assigned to NULL. Plain 0 should be used rather than NULL, which is an implementation-defined C++ null pointer constant.
typedef unsigned int Uint_32; // // Standard 348 S : Use of the NULL macro. // A/Ref: // class Person { public: Person(); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 *personal_number; }; Person::Person() { personal_number = NULL; // Initialising to 0 is preferable } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
Identifiers for enumerator values shall be lowercase. Using lowercase avoids the possibility of accidental macro substitution.
typedef enum Seasons { SPRING, /* all upper-case ! */ summer, autumn, winter } Seasons; /***************************************************** * Standard 349 S : Enumeration is not all lower case. *****************************************************/ void foo(Seasons season) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates *
JSF++ AV | : | 52 |
This standard is not applicable to java.
Identifiers for constant values shall be lowercase. Using lowercase avoids the possibility of accidental macro substitution.
typedef unsigned int Uint_32; const Uint_32 DEFINT = 1U; /******************************************************** * Standard 350 S : Const variable is not all lower case. ********************************************************/ void foo(void) { Uint_32 my_int = DEFINT; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
JSF++ AV | : | 52 |
This standard is not applicable to java.
A variable will not be declared in the definition of its type. Otherwise the type will be unnamed, and unable to be referenced and reused. Furthermore the resulting code will be difficult to read.
/************************************************************* * Standard 351 S : Type declaration with variable definition. *************************************************************/ void foo(void) { enum { up, down } direction; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
JSF++ AV | : | 141 |
This standard is not applicable to java.
Object and function types shall not be defined in an implementation file. Every implementation file shall include the header files that uniquely define the types used.
#include "static_352.h" typedef enum Seasons { spring, summer, autumn, winter } Seasons; /********************************************************** * Standard 352 S : Declaration of type not in header file. **********************************************************/ Seasons foo(Months month) { Seasons ss; /* ... */ return ss; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Only declare trivial functions 'inline'. Limit inline member functions to the pre-determined maximum number of statements - typically 1 or 2. The compiler is not compelled to make a function inline. The request to inline the function could be ignored, and the decision criteria differs from one compiler to another.
Inline functions do not necessarily improve performance and they can have a negative effect. Inappropriate use will lead to longer compilation times, slower runtime performance and larger binaries.
typedef unsigned int Uint_32; const Uint_32 agelimit = 18U; const Uint_32 junior = 0; // // Standard 353 S : Inline member has more than *** statements. // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personal_number; public: void adjust_num(void) { personal_number++; if (personal_number < agelimit) personal_number = junior; personal_number++; } }; void foo(void) { Person p1(10); p1.adjust_num(); //... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
External objects will not be declared in more than one file. External objects should be declared in header files which will then be included in all those files that use those objects (including the files which define them).
#ifndef GLOBALS_H #define GLOBALS_H typedef unsigned int Uint_32; extern Uint_32 day; /* ok - and defined in static_354.c */ extern Uint_32 month; /* ok - and defined in another_file.c */ /************************************************************* * Standard 354 S : Extern declaration is not in header file. *************************************************************/ #endif /* * * Copyright (c) 2006 Liverpool Data Research Associates * */ #include "globals.h" Uint_32 day; extern Uint_32 season; /* should be in (shared) header file */ /************************************************************* * Standard 354 S : Extern declaration is not in header file. *************************************************************/ void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
User-specified identifiers will not rely on the significance of more than a pre-determined maximum number of characters - typically 64, although the C++ standard suggests a minimum of 1024 characters will be significant.
typedef unsigned int Uint_32; // // Standard 355 S : Variables not unique within *** characters. // A/Ref: // class X { public: protected: private: Uint_32 this_identifier_will_exceed_sixty_four_significant_characters_in_length; Uint_32 this_identifier_will_exceed_sixty_four_significant_characters_in_width; }; void foo(void) { X my_x; // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
Pointers to pointers should be avoided when possible. An alternative form of abstraction should be used instead; preferably one providing memory management and error handling facilities.
typedef unsigned char Uchar; typedef unsigned int Uint_32; const Uint_32 array_size = 10U; /*********************************************** * Standard 356 S : Pointer to pointer declared. ***********************************************/ void foo(void) { Uchar *cptr[array_size]; /* an array of char pointers */ Uint_32 **cpp; cpp = cptr; /* pointer to the array of pointers */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A base class shall not be both virtual and non-virtual in the same hierarchy, as the hierarchy becomes difficult to comprehend and use.
// // Standard 357 S : Base class is mixed virtual and non virtual. // A/Ref: // class A { public: protected: private: }; class D1 : public A { public: protected: private: }; class D2 : public virtual A { public: protected: private: }; class D3 : public D1, public D2 { public: void foo() { ; } protected: private: }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Class member identifiers shall not use the same name as an identifier used elsewhere, such as a member function local variable or parameter. Name reuse leads to confusion, and ambiguous or incorrect code.
A duplicate violation of 91 S can be suppressed by configuring the modifier 246 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
typedef unsigned int Uint_32; // // Standard 358 S : Class member name reused. // class Bar { public: void foo(Uint_32 &some_int); // class member name reused protected: private: Uint_32 some_int; }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
Avoid using default arguments to allow for the same function to be called in more than one way, as ambiguities may arise when calling that function.
typedef unsigned int Uint_32; // // Standard 359 S : Default parameter use. // A/Ref: // class Base { public: Base(); explicit Base(const Base &bs); Base & operator=(const Base &bs); ~Base(); void foo(Uint_32 my_param); void foo(Uint_32 my_param, Uint_32 another_param = 0); protected: private: }; void my_func(void) { Base base_obj; // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
An object or function type declared more than once shall be compatible.
typedef unsigned char Uchar; extern incompatible_int; /***************************************** * Standard 360 S : Incompatible type. *****************************************/ /* ... */ Uchar incompatible_int = '0'; void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The order of evaluation of operands in an expression shall not be assumed, as the results may be subject to an implementation dependency. In any case, the use of brackets should be used to aid readability.
This standard can be relaxed to allow expressions containing arithmetic operators by configuring the modifier 264 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /********************************************* * Standard 361 S : Expression needs brackets. *********************************************/ SINT_32 static_361(SINT_32 x1, SINT_32 x2, SINT_32 x3) { SINT_32 z1 = x1 * x2 + x3; /* not compliant, but permitted by modifier 264 */ z1 = z1 * x2 >> 3U; /* not compliant */ return z1; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | EXP00-C | ||
CERT-J | : | EXP06-J, EXP09-J | ||
CWE | : | 783 | Modifiers : 264 = 1 | |
DERA | : | 47 | ||
EADS-C | : | 98 | ||
ESA-BSSC | : | 65 | ||
GJB | : | 5.1.2 | ||
HIC++ | : | 10.4 | Modifiers : 264 = 1 | |
HIS | : | 47 | ||
JSF++ AV | : | 213 | Modifiers : 264 = 1 | |
LMTCP | : | 363, 398 | Modifiers : 264 = 1 | |
MISRA-AC | : | 12.1 | ||
MISRA-C++:2008 | : | 5-0-2 | ||
MISRA-C:1998 | : | 47 | ||
MISRA-C:2004 | : | 12.1 | ||
NETRINO | : | 1.4.a |
The main() function shall be the exception to the rule that states every non-local name be placed in a namespace. The main() function is the designated start of the program, and there is only ever one occurrence permitted.
namespace MySpace { typedef unsigned int Uint_32; const Uint_32 ok = 0; // // Standard 362 S : Main program in a namespace. // A/Ref: // void foo(Uint_32 &my_param) { // ... } int main(void) { Uint_32 my_var = ok; // ... foo(my_var); // ... return ok; } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A function's inherited default parameter shall never be redefined. The redefinition of default parameters for virtual functions often produces surprising results due to the fact that virtual functions are dynamically bound and default parameter values are statically bound.
typedef unsigned int Uint_32; // // Standard 364 S : Inherited default parameter redefined. // A/Ref: // class Base { public: Base(); explicit Base(const Base &bs); Base& operator=(const Base &bs); ~Base(); virtual void foo(Uint_32 my_int = 0); protected: private: }; class Derived : public Base { public: Derived(); explicit Derived(const Derived &dv); Derived& operator=(const Derived &dv); ~Derived(); virtual void foo(Uint_32 my_int = 1); protected: private: }; void myFunc(Derived &obj) { Base &base_obj = obj; // ... base_obj.foo(); // calls Derived::foo with my_int = 0 !!! } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Hexadecimal numbers shall be written using lower case letters.
This standard can be relaxed so as to allow an upper case X by configuring the modifier 208 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
/**************************************************************** * Standard 365 S : Hexadecimal number with upper case char. ****************************************************************/ typedef enum mask_enum_type { mask_first = 0x01, /* ok */ mask_all = 0xFF /* not compliant */ } mask_enum_type; /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 90 |
It shall not be permitted to use the backslash character to continue a string. String continuation is unwieldy and may cause problems with some compilation tools. A long string may need to be broken down into two or more strings.
#include <stdio.h> /************************************************* * Standard 366 S : String continuation - use of \ * A/Ref: *************************************************/ void foo(void) { printf("This is quite a long text string that\ spans several lines\n"); /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
It shall not be permitted to use the backslash character to continue a macro definition. Macro continuation is unwieldy and may cause problems with some compilation tools. A long macro may need to be broken down into two or more macros, or represented as a function.
#include <stdio.h> /************************************************* * Standard 367 S : Macro continuation - use of \ * A/Ref: *************************************************/ #define S1(X) (\ (X) + ((X) * 2)) /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 141 |
This standard is not applicable to java.
It shall not be permitted to use the backslash character to continue a pragma definition. Pragma continuation is unwieldy and may cause problems with some compilation tools. A long pragma statement may need to be broken down into two or more statements.
/************************************************* * Standard 368 S : Pragma continuation - use of \ * A/Ref: *************************************************/ #pragma This is just an example using \ to continue a pragma. #pragma Another example "using" \ but with a string before it! /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 141 |
This standard is not applicable to java.
Names should be no more than a pre-determined maximum length - typically 60 characters. Names should be meaningful but also readily comprehend-able.
typedef unsigned int Uint_32; /********************************************************** * Standard 369 S : Name found with length greater than ***. * A/Ref: ***********************************************************/ void foo(void) { Uint_32 my_over_sixty_characters_long_non_compliant_integer_type_instance; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The if statement should not be nested greater than a pre-determined maximum number of levels deep - typically 4. Deeply nested code is difficult to debug and maintain.
typedef unsigned int Uint_32; const Uint_32 top_value = 255U; /************************************************** * Standard 370 S : IF nest depth greater than ***. * A/Ref: **************************************************/ void foo(Uint_32 a1, Uint_32 a2, Uint_32 a3) { if (a1 > a3) { if (a1 > a2) { if (a2 > a3) { if (a2 < top_value) { if (a1 > top_value) /* exceeds nested limit of 4 */ { /* ... */ } } } } } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Space characters shall be used following commas in an actual parameter list to help separate the arguments.
typedef unsigned int Uint_32; const Uint_32 x1 = 5U; const Uint_32 x2 = 3U; /********************************************************** * Standard 371 S : No space after comma in parameter list. * A/Ref: **********************************************************/ void foo(Uint_32 a1, Uint_32 a2) { if (a1 > a2) { /* ... */ } } void bar(void) { foo(x1,x2); /* no space */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
When declaring a pointer or reference, the asterisk/ampersand denoting the pointer/reference shall be added as a prefix to the pointer or reference name.
typedef unsigned short Uint_16; // // Standard 372 S : Asterisk/ampersand not attached to name. // A/Ref: // void foo(Uint_16* my_int_ptr) { // Statements... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
EADS-C | : | 158 |
This standard is not applicable to java.
The implementation of integer division in the chosen compiler should be determined, documented and taken into account.
typedef signed int Sint_32; const Sint_32 x1 = -5; const Sint_32 x2 = 3; /******************************************* * Standard 373 S : Use of integer division. * A/Ref: *******************************************/ void foo(Sint_32 a1, Sint_32 a2) { Sint_32 b1 = a1 / a2; /* Could be -1 remainder -2, or -2 remainder +1 */ /* ... */ } void bar(void) { foo(x1, x2); } /* * * Copyright (c) 2006 Liverpool Data Research Associates *
A typedef name shall be a unique identifier, and not reused either as a typedef or for any other purpose.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned int unique_type; /********************************************** * Standard 374 S : Name conflict with typedef. * A/Ref: **********************************************/ void foo(void) { unique_type unique_type; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of octal escape sequences should be avoided. The inadvertent introduction of a decimal digit ends the octal escape and introduces another character subject to implementation definition.
typedef char Char; /************************************************ * Standard 376 S : Use of octal escape sequence. * A/Ref: ************************************************/ void foo(void) { Char octal_escape, n_octal_escape; n_octal_escape = '\01'; /* Not Compliant */ n_octal_escape = '\109'; /* Not Compliant */ octal_escape = '\0'; /* Compliant - exception to rule */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | MSC10-C | ||
CWE | : | 176 | ||
LMTCP | : | 270 | ||
MISRA-AC | : | 7.1 | ||
MISRA-C++:2008 | : | 2-13-2 | ||
MISRA-C:2004 | : | 7.1 | ||
SEC-C | : | M1.8.5 |
This standard is not applicable to java.
The use of the octal escape sequence '\0' within a string to indicate a null character should be avoided. The inadvertent introduction of a decimal digit ends the octal escape and introduces another character subject to implementation definition. Furthermore the null character serves to terminate the string when it may not be desirable to do so.
typedef char Char; /******************************************************* * Standard 377 S : Null character used within a string. * A/Ref: *******************************************************/ void foo(void) { Char * n_octal_point = "abc\017"; /* Not Compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The data type name and tag name used to identify a structure, union or enumeration shall be identical. Using different names can create unnecessary confusion.
/************************************************************** * Standard 378 S : Tag and type mismatch in struct/union/enum. * A/Ref: **************************************************************/ typedef enum my_enum { first, second, third } seq_enum; void foo(seq_enum pos) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 86 |
This standard is not applicable to java.
The lines of code substituted for a macro should not exceed the pre-determined maximum number - typically 4.
typedef signed int Sint_32; const Sint_32 m1 = 4; const Sint_32 m2 = 3; /******************************************************** * Standard 379 S : Macro exceeds *** continuation lines. * A/Ref: ********************************************************/ #define MIN(a, b) ((a) \ < \ (b) \ ? (a) \ : (b) \ ) void foo(void) { Sint_32 res = MIN(m1, m2); /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 91 |
This standard is not applicable to java.
Each member of an enumerated type shall be declared on a separate line to aid readability.
/********************************************************* * Standard 380 S : Enumeration element not on a new line. * A/Ref: *********************************************************/ typedef enum my_enum { first, second, third } my_enum; void foo(void) { enum my_enum pos; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 157 |
The typedef facility shall be used to create new user defined types as required, and shall specifically be used to define all enumerated types, structures and unions.
/******************************************************** * Standard 381 S : Enum, struct or union not typedeffed. * A/Ref: 6.1.7.15 & 6.3.7.9 ********************************************************/ enum my_enum { first, second, third }; void foo(void) { enum my_enum pos; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A function call in which the returned value is discarded shall be clearly indicated using (void).
This standard can be further restricted to check for discarded returns from library functions by configuring the modifier 383 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
UINT_32 my_const = 42U; /************************************************************* * Standard 382 S : (void) missing for discarded return value. *************************************************************/ UINT_32 a_fn(UINT_32 us1) { /* ... */ return us1; } void static_382(void) { a_fn(my_const); /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier shall not use the same name as a macro, regardless of scope. Hiding identifiers with an identifier of the same name in a nested scope leads to code which is very confusing.
typedef unsigned int Uint_32; #define X2(X) ((X) + (X)) /****************************************************** * Standard 383 S : Identifier name matches macro name. * A/Ref: ******************************************************/ Uint_32 X2; /* Violation - 2nd use of name */ Uint_32 foo(Uint_32 us1) { /* ... */ return us1; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
User-specified identifiers will not rely on the significance of more than 31 characters, as required by the ISO standard.
typedef unsigned int Uint_32; #define ABCDEFGHIJKLMNOPQRSTUVWXYZ1234_M(X) ((X) + (X)) /************************************************************* * Standard 384 S : Identifier matches macro name in 31 chars. * A/Ref: *************************************************************/ Uint_32 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234_V; /* Violation - matches macro name (up to 31 chars) */ Uint_32 foo(Uint_32 us1) { /* ... */ return us1; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A switch statement shall only contain switch labels and switch clauses, and no other code.
typedef unsigned int Uint_32; typedef enum FavouriteSeasons { spring, summer, autumn, winter } FavouriteSeasons; FavouriteSeasons season; Uint_32 x1; /*********************************************************** * Standard 385 S : MISRA switch statement syntax violation. * A/Ref: ***********************************************************/ void foo(void) { switch (season) { Uint_32 decl_b4_1st_case; /* Not Compliant */ case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; case winter: x1 = 10U; break; default: /* No default action required */ break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Blank lines shall be used to separate logical groupings of source code lines, and specifically there should be a pre-determined minimum number of lines between procedures.
typedef unsigned int Uint_32; /************************************************************** * Standard 386 S : Less than *** blank lines separating procs. * A/Ref: **************************************************************/ void foo(void) { /* ... */ } /* insufficient space */ void bar(Uint_32 p1) { foo(); /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
EADS-C | : | 147 |
An enumeration constant is a list of integer constant values, and shall only be associated with integer literals.
typedef unsigned int Uint_32; Uint_32 s4 = 4U; typedef enum FavouriteSeasons { spring = 1, summer = 2, autumn = 3, winter = s4 /* Not compliant */ } FavouriteSeasons; FavouriteSeasons season; Uint_32 x1; /*********************************************************** * Standard 387 S : Enum initialisation not integer literal. * A/Ref: ***********************************************************/ void foo(void) { switch (season) { case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; case winter: x1 = 10U; break; default: /* No default action required */ break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
An extern variable may be accessed by any function in a program file, and as such shall be declared at file scope.
typedef unsigned int Uint_32; const Uint_32 limit = 99U; /************************************************ * Standard 388 S : Extern used in function body. * A/Ref: ************************************************/ void foo(void) { extern Uint_32 x1; /* Not compliant */ if (limit == x1) { /* ...*/ } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The increment ++ and decrementor -- operators shall not be used on a boolean type variable. Specific functions should be used to assign or change booleans rather than arithmetic operations.
typedef unsigned int Uint_32; typedef enum Bool { false, true } Bool; const Uint_32 limit = 99U; /****************************************************** * Standard 389 S : Bool value incremented/decremented. * A/Ref: ******************************************************/ void foo(Uint_32 x1) { Bool b1 = false; if (limit == x1) { b1++; /* Not Compliant */ } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates *
Array types shall not be used as the basis of a typedef declaration. Problems can arise relating to bounds checking and incorrectly specified deletion syntax.
typedef unsigned int Uint_32; typedef Uint_32 ARRAY_TYPE[ 10 ]; // Not Compliant // // Standard 390 S : Typedef array declaration. // A/Ref: // void foo (void) { Uint_32 *array = new ARRAY_TYPE; // ... delete array[]; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
An abstract class shall have no public constructors. Abstract classes cannot be used to declare objects, by making constructors protected it is explicit that the class can only be used from derived classes.
// // Standard 391 S : Public constructor in abstract class. // A/Ref: // class AbstractBase { public: AbstractBase(); // Not Compliant protected: AbstractBase & operator=(const AbstractBase &ab); explicit AbstractBase(const AbstractBase &ab); virtual ~AbstractBase(); virtual void foo(void)=0; // pvf private: }; void foo (void) { // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
A const member function shall not return non-const pointers or references to member data. Non-const handles indirectly allow modification of class data.
typedef unsigned int Uint_32; // // Standard 392 S : Class data accessible thru non const member. // A/Ref: // class Person { public: Person(); Person & operator=(const Person &ab); explicit Person(const Person &ab); virtual ~Person(); Uint_32 *foo(void) const { return p_num; // permits subsequent modification of private data } protected: private: Uint_32 *p_num; }; void bar(void) { const Person person; Uint_32 *pn = person.foo(); *pn = 10; // modifies private data in person! } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
All single argument constructors shall be declared as explicit thus preventing their use as implicit type convertors.
typedef unsigned int Uint_32; typedef float Float_32; // // Standard 393 S : Single parameter constructor not 'explicit'. // A/Ref: 6.2.7 // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person(Float_32 sal); // should be explicit to prevent type conversion explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; Float_32 salary; }; void bar(Person const & ); void foo(void) { bar( Person( 10 ) ); // ok, explicit - but if it were 'bar( 10 )' it would not compile bar( 20.0 ); // implicit conversion // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Conversion operators should not be used, as implicit conversion operators can take place without the programmer's knowledge.
// // Standard 394 S : Conversion function found. // A/Ref: 6.2.6 // class CExampleC { }; class CExampleD { public: explicit CExampleD( CExampleC ); // 1 }; class CExampleC { public: operator CExampleD(); // 2 }; void foo( CExampleD ); void bar(void) { CExampleC c; foo( c ); // Ambiguous (convert to CExampleD by 1 or 2?) } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
STL containers shall not be used as public bases classes. They lack a virtual destructor, which may cause problems when deleting derived objects (also see S 303).
#include <list> using namespace std; // // Standard 395 S : Public base use of STL library member. // A/Ref: // class MyList : public list { // ... }; void doSomething(void) { MyList* pHeapLis = new MyList; // allocate derived obj on heap std::list* pBaseLis = pHeapLis; // access through base class delete *pBaseLis; // undefined behaviour! } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Overloading on both numeric and pointer types shall not be performed, as it is not obvious which function is called when there is a numeric argument.
typedef char Char; // // Standard 396 S : Possible ambiguous numeric/pointer overloads. // A/Ref: // class One { public: void foo(Char cc); void foo(class Y * yy); }; void fn(void) { One my_one; my_one.foo( 0 ); // ambiguous my_one.foo( 1 ); // calls foo( Char ) my_one.foo( '1' ); // calls foo( Char ) } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
An array shall be fully populated upon initialisation. If there are fewer initialising data objects than the subscript limit, all excess elements in the array are set to zero. This may not be what the user expected.
typedef unsigned int Uint_32; /************************************************************** * Standard 397 S : Array initialisation has insufficient items. * A/Ref: ***************************************************************/ void foo (void) { Uint_32 my_array[3] = { 1, 2 }; /* Not Compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CAST | : | 5.16.14 | ||
CERT-C | : | ARR02-C | ||
CMSE | : | 13.1.6 | ||
GJB | : | 5.1.20 | ||
MISRA-AC | : | 9.2 | ||
MISRA-C++:2008 | : | 8-5-2 | ||
MISRA-C:2004 | : | 9.2 | ||
SEC-C | : | M2.1.1, R1.2.1 |
This standard is not applicable to java.
The use of a boolean operator to negate the result of an non-boolean expression shall be avoided. An alternative method of performing the intended logic should be used.
typedef unsigned int Uint_32; /************************************************************* * Standard 398 S : Boolean negation outside bracketed exprsn. * A/Ref: **************************************************************/ void foo(void) { Uint_32 lowertest1, lowertest2, test; /* ... */ if (!(lowertest <=test)) { ; } if (lowertest1 > test) /* preferred */ { ; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
A function will not be declared more than once. Function overloading can lead to confusing and erroneous code.
typedef unsigned int Uint_32; typedef signed int Sint_32; /*************************************************** * Standard 399 S : Function declared more than once. * A/Ref: ****************************************************/ void foo(Sint_32 p1); void foo(Sint_32 p1); /* re-declared */ void foo(Uint_32 p1); /* re-declared */ Uint_32 foo(Sint_32 p1); /* re-declared */ /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to c++.
The sizeof operator shall not be applied to a data type-specifier operand.
typedef unsigned int Uint_32; struct My_struct { Uint_32 x1; Uint_32 x2; }; /****************************************** * Standard 400 S : Use of sizeof on a type. * A/Ref: *******************************************/ Uint_32 foo(void) { /* ... */ return sizeof(struct My_struct); /* Not Compliant */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Arrays passed by value are in actual fact passed as a copy of the array address. It is therefore not advisable to use the sizeof operator on an array parameter as the pointer size is likely to be returned rather than the required array size.
Furthermore, sizes of data objects stored within the array will be machine-dependent and no assumptions should be made about them when writing portable code.
typedef char Char; typedef unsigned int Uint_32; /******************************************************* * Standard 401 S : Use of sizeof on an array parameter. * A/Ref: *******************************************************/ void foo(Char str[]) { Uint_32 sz = sizeof(str); /* "str" is an array type parameter */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Comparison between booleans should not be made. In the 'C' language there is no Boolean type, although by convention integer zero is regarded as false and non-zero is true. Hence a comparison between boolean types which depend upon specific values may reap unexpected results.
typedef enum Bool { false, true } Bool; /****************************************** * Standard 402 S : Comparison of booleans. * A/Ref: ******************************************/ void foo(Bool b1) { Bool b2 = true; /* ... */ if (b1 == b2) { /* ... */ } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Right hand side operands used with shift operators shall not be negative. A negative shift leads to undefined behaviour.
typedef unsigned int Uint_32; typedef signed int Sint_32; /************************************************************ * Standard 403 S : Negative (or potentially negative) shift. * A/Ref: ************************************************************/ void foo(void) { Uint_32 my_var = 2U; const Sint_32 s1 = -2; my_var = my_var << -1; /* -1 is a negative number */ my_var = my_var >> s1; /* the value of "s1" variable is negative */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CAST | : | 5.16.4 | ||
CERT-C | : | INT34-C | ||
CERT-J | : | INT05-J | ||
CMSE | : | 6.1.20 | ||
CWE | : | 190, 680, 681 | ||
DERA | : | 38 | ||
GJB | : | 5.1.7 | ||
HIC++ | : | 10.12 | ||
HIS | : | 38 | ||
JSF++ AV | : | 164 | ||
LMTCP | : | 294 | ||
MISRA-AC | : | 12.7 | ||
MISRA-C:1998 | : | 38 | ||
MISRA-C:2004 | : | 12.7 |
The number of initialising data objects shall not be more than implied by the subscript limit. Although this is a programming error - potentially overwriting an adjacent data area - it may not be trapped by the compiler.
typedef unsigned int Uint_32; /********************************************************** * Standard 404 S : Array initialisation has too many items. ***********************************************************/ void foo (void) { Uint_32 my_array[3] = { 1, 2, 3, 4 }; /* Not Compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CAST | : | 5.16.1 | ||
CERT-C | : | ARR02-C | ||
CMSE | : | 6.1.19 | ||
CWE | : | 665 | ||
GJB | : | 5.1.3 | ||
MISRA-AC | : | 9.2 | ||
MISRA-C:2004 | : | 9.2 | ||
SEC-C | : | R1.2.1 |
This standard is not applicable to java.
The use of pre-processor macros to define inherently complex recursive code segments should be avoided. A macro which calls itself may result in an infinite loop, particularly as with macro substitution the underlying syntax or semantics of the language are not checked by the compiler.
typedef unsigned int Uint_32; /************************************************************* * Standard 405 S : Macro name appears in own replacement list. * A/Ref: **************************************************************/ #define MY_MACRO(X) ((X) * (MY_MACRO((X) + 1))) /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The right-hand side operand of a logical expression shall not contain side-effects if, dependent upon the nature of the left-hand side, its evaluation is conditional. Any reliance on the side-effect made by subsequent statements introduces the potential for unexpected behaviour in the software.
typedef unsigned int Uint_32; typedef enum Bool { false, true } Bool; const Uint_32 max_num = 10; /*************************************************************** * Standard 406 S : Use of ++ or -- on RHS of && or || operator. * A/Ref: ***************************************************************/ void foo(Bool is_high, Uint_32 p1) { if (is_high && (max_num == p1++)) /* increment will not take place if is_high 'false' */ { /* ... */ } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | EXP02-C | ||
CWE | : | 664, 682, 737, 747, 768 | ||
DERA | : | 33 | ||
HIC++ | : | 10.9 | ||
HIS | : | 33 | ||
JSF++ AV | : | 157 | ||
LMTCP | : | 286 | ||
MISRA-AC | : | 12.4 | ||
MISRA-C++:2008 | : | 5-14-1 | ||
MISRA-C:1998 | : | 33 | ||
MISRA-C:2004 | : | 12.4 | ||
SEC-C | : | M1.8.1, M3.2.1 |
Strings do not have memory explicitly dynamically allocated, and hence have no requirement for the use of the free function for de-allocation. The use of free on a string is invalid and leads to undefined behaviour.
typedef char Char; /*************************************** * Standard 407 S : free used on string. * A/Ref: ***************************************/ void foo(void) { const Char *str = "abcde"; *str = "cdef"; free(str); /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The right-hand side operand of a logical expression shall not contain access to a volatile variable if, dependent upon the nature of the left-hand side, its evaluation is conditional. Any reliance on a value change to the volatile variable made by subsequent statements introduces the potential for unexpected behaviour in the software.
typedef unsigned int Uint_32; typedef enum Bool { false, true } Bool; const Uint_32 max_num = 10; /***************************************************************** * Standard 408 S : Volatile variable accessed on RHS of && or ||. * A/Ref: *****************************************************************/ void foo(Bool is_high, Uint_32 p1) { volatile Uint_32 v1; /* ... */ if (is_high && (max_num == v1)) /* v1 will not be accessed if is_high 'false' */ { /* ... */ } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | EXP02-C | ||
CWE | : | 664, 682, 737, 747, 768 | ||
DERA | : | 33 | ||
HIC++ | : | 10.9 | ||
HIS | : | 33 | ||
JSF++ AV | : | 157 | ||
LMTCP | : | 286 | ||
MISRA-AC | : | 12.4 | ||
MISRA-C:1998 | : | 33 | ||
MISRA-C:2004 | : | 12.4 | ||
SEC-C | : | M1.8.1, M3.2.1 |
For any iteration there shall be at most one break statement used to exit the loop. More than one break is not necessary if the code is well-structured.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef signed int Sint_32; typedef char Char; const Sint_32 max_num = 10; /********************************************************* * Standard 409 S : More than one break statement in loop. * A/Ref: *********************************************************/ void foo(Char arr[]) { Sint_32 sub; /* ... */ for (sub = 0; sub < max_num; sub++) { if (arr[sub] == '\0') { break; } printf("%c", arr[sub]); if (arr[sub] == 'z') { break; } } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
A switch statement shall contain a default clause which will take appropriate action in the event that prior case clauses have not been met, or at least a comment to indicate that the programmer has considered the possibility.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned int Uint_32; typedef enum FavouriteSeasons { spring, summer, autumn, winter } FavouriteSeasons; FavouriteSeasons season; Uint_32 x1; /******************************************************* * Standard 410 S : Switch empty default has no comment. * A/Ref: *******************************************************/ void foo(void) { switch (season) { case spring: x1 = 1U; break; case summer: x1 = 4U; break; case autumn: x1 = 7U; break; case winter: x1 = 10U; break; default: break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Assigning a non-enumerative value to an enumerated type shall be avoided as the result is unspecified if the value is not within the range of the enumeration.
typedef enum Seasons { spring = 1, summer, autumn, winter } Seasons; void foo(void); /******************************************************** * Standard 411 S : Inappropriate value assigned to enum. * A/Ref: ********************************************************/ void foo(void) { Seasons season = autumn; /* ... */ season++; /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Ensure that all non-empty source files end with a complete language statement followed by a new-line character, otherwise the behaviour is undefined.
A data type appears to have been declared but not used to define an object. There shall be no redundant types declared as this reduces the maintainability of code.
This standard can be further restricted to check for unused declarations in included files by configuring the modifier 284 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" typedef enum Seasons { spring, summer, autumn, winter } Seasons; /* not compliant */ /************************************************************* * Standard 413 S : Type declared but not used in declaration. *************************************************************/ void static_413(SINT_32 ss) { /* Statements which make no use of 'Seasons' type... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
An array type formal parameter shall not be subscripted with the array size. An array intended to be passed by value is in fact always passed by reference, i.e. a copy of the address of the first entry in the array. Subscripting an array parameter serves no purpose but to add confusion, and potentially conflict with the actual array size.
typedef signed int Sint_32; typedef char Char; const Sint_32 max_num = 10; /*************************************************************** * Standard 415 S : Single dimension array param size specified. * A/Ref: ***************************************************************/ void foo(Char arr[10]) { Sint_32 sub; /* ... */ for (sub = 0; sub < max_num; sub++) { if (arr[sub] == '\0') { break; } printf("%c", arr[sub]); } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A multi-dimensional array type formal parameter shall not have its first subscript dimension specified. An array intended to be passed by value is in fact always passed by reference, i.e. a copy of the address of the first entry in the array. Subscripting an array parameter serves no purpose but to add confusion, and potentially conflict with the actual array size.
typedef signed int Sint_32; typedef char Char; const Sint_32 max_num = 10; /********************************************************* * Standard 416 S : First array param dimension specified. * A/Ref: *********************************************************/ void foo(Char arr[10][2]) { Sint_32 sub; /* ... */ for (sub = 0; sub < max_num; sub++) { if (arr[sub][0] == '\0') { break; } printf("%c", arr[sub]); } /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of the pre-processor should be limited such that only the presence of a definition is checked using #ifndef, rather than using #if. In particular, the control of conditional compilation through a specific value of a pre-processor token is prone to error.
typedef unsigned int Uint_32; #define DEBUG1 1 /*************************************************** * Standard 417 S : Use of #if preprocessor command. * A/Ref: ***************************************************/ #if DEBUG1 const Uint_32 init = 1U; #else const Uint_32 init = 0; #endif void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Inheritance shall be exclusively used to represent an "is-a" relationship using the public classifier. Hence the "is-implemented-in-terms-of" relationship should be constructed via composition or some other means rather than using private inheritance which is purely an implementation technique.
typedef unsigned int Uint_32; // // Standard 418 S : Class Derivation is not public. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; }; class Student : private Person { }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
Class type variables shall be defined using direct initialisation rather than copy initialisation, thereby removing the extra step of constructing a temporary object before copy constructing the resultant variable.
typedef unsigned int Uint_32; // // Standard 419 S : Deprecated class initialisation. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; }; void foo(void) { Person p1 = new Person(42); // avoid Person p2(7); // prefer // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Virtual functions shall not be inlined either explicitly with the inline keyword or implicitly through method definition in a class declaration. Due to polymorphism a compiler cannot possibly know which instance of a virtual function will be called at compile time.
typedef unsigned int Uint_32; // // Standard 420 S : Virtual function should not be inline. // A/Ref: // class Base { public: Base(); explicit Base(cost Base &base); Base & operator=(const Base &base); virtual ~Base(); virtual void foo(void) // virtual 'inline' function { ; } protected: private: Uint_32 m_var; }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Operator new and delete should be declared explicitly static. Although they are by default implicitly static, documenting the static nature in this way helps improve maintainability.
// // Standard 421 S : New or delete not explicitly static. // A/Ref: // class X { public: X(); ~X(); void *operator new(const size_t size); // should be explicitly 'static' static void operator delete(void*); explicit X(const X &xx); X & operator=(const X &xx); protected: private: }; void foo(void) { // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
To avoid confusion and aid maintainability declare one type only in each typedef statement.
typedef unsigned int Uint_32; /*************************************************** * Standard 422 S : More than one synonym in typedef. * A/Ref: ***************************************************/ typedef Uint_32* My_ptr, Value; /* Not intuitive that Value is an int type * whereas My_ptr is an int* type. */ void foo(My_ptr ptr, Value val) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Overloaded operators new and delete should be paired such that any custom memory management scheme is complete.
// // Standard 423 S : Operator new and no operator delete. // A/Ref: // class X { public: X(); ~X(); static void *operator new(const size_t size); explicit X(const X &xx); X & operator=(const X &xx); protected: private: }; void foo(void) { // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Overloaded operators new[] and delete[] should be paired such that any custom memory management scheme is complete.
// // Standard 424 S : Operator new[] and no operator delete[]. // A/Ref: // class X { public: X(); ~X(); static void *operator new[](const size_t size); explicit X(const X &xx); X & operator=(const X &xx); protected: private: }; void foo(void) { // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Use the upper case suffix F for all float constants. It is regarded as good programming practice to make explicit the type when using floating-point numbers. All un-suffixed floating constants are of type double by default.
typedef float Float_32; typedef double Float_64; /************************************************** * Standard 425 S : float literal with no F suffix. * A/Ref: **************************************************/ void foo(void) { Float_32 my_floata = 3.5F; /* ok */ Float_64 my_double = 4.5; /* ok - compiler will assume double */ Float_32 my_floatb = 2.5; /* not ok - will result in implicit conversion... */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Use of a #undef in a block is misleading as it implies a scope restricted to that block, which is not the case. Place all pre-processing directives near the top of a file, and explicitly at file scope.
#define AA 1 #undef BB void foo(void); /****************************************** * Standard 426 S : #undef used in a block. * A/Ref: ******************************************/ void foo(void) { #define BB 2 #undef CC /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
DERA | : | 91 | ||
HIS | : | 91 | ||
MISRA-AC | : | 19.5 | ||
MISRA-C++:2008 | : | 16-0-2 | ||
MISRA-C:1998 | : | 91 | ||
MISRA-C:2004 | : | 19.5 | ||
SEC-C | : | M4.7.5 |
This standard is not applicable to java.
All filenames used in conjunction with #include shall be enclosed in angled-brackets or quotes, either directly or via macro substitution. Any other sequence following a #include results in undefined behaviour.
#define MYFILE "myfile.h" #include MYFILE #include filename.h void foo(void); /********************************************************** * Standard 427 S : Filename in #include not in < > or "". * A/Ref: **********************************************************/ void foo(void) { /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A switch statement should always be enclosed by braces to form a compound statement. If omitted, Testbed inserts the required braces into the reformatted code to permit instrumentation.
typedef enum Seasons { spring, summer, autumn, winter } Seasons; void foo(Seasons season); /******************************************************** * Standard 428 S : No {} for switch. (added by Testbed). * A/Ref: ********************************************************/ void foo(Seasons season) { Uint_16 weather_score; switch (season) case spring: { weather_score = 1U; break; } case summer: { weather_score = 3U; break; } case autumn: { weather_score = 2U; break; } case winter: { weather_score = 0; break; } default: { weather_score = 0; break; } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The middle expression in a for loop shall include testing of the loop control variable. In the interests of simplicity and maintainability, expressions in a for statement should be wholly concerned with loop control only.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned int Uint_32; void foo(void); /******************************************************* * Standard 429 S : Empty middle expression in for loop. * A/Ref: *******************************************************/ void foo(void) { Uint_32 index; for (index = 0; ;index++) { /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The loop control variable shall only be initialised, tested, and incremented or decremented. In the interests of simplicity and maintainability, expressions in a for statement should be wholly concerned with loop control only.
#include <stdio.h> typedef signed int Sint_32; const Sint_32 max_ind = 10; void foo(void); /*************************************************************** * Standard 430 S : Inconsistent usage of loop control variable. * A/Ref: ***************************************************************/ void foo(void) { for (Sint_32 index = 0; index < max_ind; printf("index = %d\n", index)) { /* ... */ index = index + 2; /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to c++.
Signed and unsigned char types shall not be used for the storage of character values.
typedef signed char int8_t; static int8_t foo(int8_t); /******************************************************** * Standard 431 S : Char used instead of (un)signed char. * A/Ref: ********************************************************/ static int8_t foo(int8_t signed_numeric_param) { int8_t signed_numeric_local; switch ( signed_numeric_param ) { case 1: signed_numeric_local = 1; break; case 'a': /* Not Compliant */ signed_numeric_local = 2; break; default: signed_numeric_local = 3; break; } return signed_numeric_local; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Plain char types shall not be used for the storage of non-character values.
typedef char char_t; static char_t foo(char_t); /************************************************************* * Standard 432 S : Inappropriate type - should be plain char. * A/Ref: *************************************************************/ static char_t foo(char_t plain_char_param) { char_t plain_char_local; switch ( plain_char_param ) { case 1: /* Not Compliant */ plain_char_local = ' '; break; case 'a': plain_char_local = '1'; break; default: plain_char_local = '2'; break; } return plain_char_local; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Conversions to a different type require explicit type casting to ensure there is no unintentional loss of information. Implicit conversion is typically implementation-defined and may result in undefined behaviour.
typedef unsigned char Uint_8; typedef unsigned short Uint_16; void foo(void); /************************************************ * Standard 433 S : Type conversion without cast. * A/Ref: ************************************************/ void foo(Uint_16 us) { Uint_8 ub = us; /* converting to a narrower type can result in loss of information */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT02-C, INT31-C | ||
CMSE | : | 6.1.9 | ||
CWE | : | 192, 197 | ||
DERA | : | 43 | ||
GJB | : | 4.6.1.9 | ||
HIC++ | : | 10.7 | ||
HIS | : | 43 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 267 | ||
MISRA-AC | : | 6.1, 6.2, 10.1, 10.2, 10.3, 10.4 | ||
MISRA-C++:2008 | : | 5-0-11 | ||
MISRA-C:1998 | : | 43 | ||
MISRA-C:2004 | : | 6.1, 6.2, 10.1, 10.2, 10.3, 10.4 | ||
NETRINO | : | 5.3.c, 5.4.b | ||
SEC-C | : | P1.3.1, R2.4.1 |
This standard is not applicable to java.
Conversions to a different type require explicit type casting to ensure there is no unintentional loss of information. Implicit conversion is typically implementation-defined and may also result in undefined behaviour.
This standard is applied to assignments and initialisations with non-constant values. Other situations are covered by 93 S, 96 S, 98 S, 331 S and 458 S.
This standard can be relaxed to allow zero literal values without a U by configuring the modifier 358 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
typedef signed int SINT_32; typedef unsigned int UINT_32; /********************************************************** * Standard 434 S : Signed/unsigned conversion without cast. **********************************************************/ void static_434(UINT_32 us1) { SINT_32 ss1 = us1; /* converting to signed may result in a loss of information */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT02-C, INT31-C, STR34-C | ||
CERT-J | : | INT01-J | ||
CWE | : | 192, 195, 196, 197 | Modifiers : 358 = 1 | |
DERA | : | 43, 48 | ||
GJB | : | 4.6.1.9 | ||
HIC++ | : | 10.13, 10.14 | ||
HIS | : | 43, 48 | ||
JSF++ AV | : | 162 | ||
LMTCP | : | 292, 302, 325 | ||
MISRA-AC | : | 10.1 | ||
MISRA-C++:2008 | : | 5-0-4 | ||
MISRA-C:1998 | : | 43, 48 | ||
MISRA-C:2004 | : | 10.1 | ||
NETRINO | : | 5.3.c | ||
SEC-C | : | R2.3.3, R2.4.2 |
This standard is not applicable to java.
Conversions to a different type require explicit type casting to ensure there is no unintentional loss of information. Implicit conversion is typically implementation-defined and may also result in undefined behaviour.
typedef signed int SINT_32; typedef float FLOAT_32; /********************************************************* * Standard 435 S : Float/integer conversion without cast. *********************************************************/ void static_435(FLOAT_32 ff) { SINT_32 ss1 = ff; /* converting to signed int may result in a loss of information */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 192 | ||
DERA | : | 43 | ||
EADS-C++ | : | 29 | ||
GJB | : | 4.6.2.3 | ||
HIC++ | : | 7.6 | ||
HIS | : | 43 | ||
JSF++ AV | : | 180, 184 | ||
LMTCP | : | 325, 332 | ||
MISRA-AC | : | 10.1, 10.2 | ||
MISRA-C++:2008 | : | 5-0-5 | ||
MISRA-C:1998 | : | 43 | ||
MISRA-C:2004 | : | 10.1, 10.2 | ||
SEC-C | : | R2.4.1 |
This standard is not applicable to java.
Array indexing, as a form of pointer arithmetic, shall only be applied to objects defined as an array type. Pointers explicitly assigned to non-array objects have the potential to access unintended or invalid memory.
typedef unsigned char Uint_8; void foo(Uint_8 * p1, Uint_8 p2[]); /********************************************************* * Standard 436 S : Declaration does not specify an array. * A/Ref: *********************************************************/ void foo(Uint_8 * p1, Uint_8 p2[]) { Uint_8 index = 0; Uint_8 * p3; Uint_8 * p4; *p1 = 0; p1[5] = 0; /* not compliant - p1 was not declared as an array */ p3 = &p1[5]; /* not compliant - p1 was not declared as an array */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
LMTCP | : | 315, 400 | ||
MISRA-AC | : | 17.1, 17.4 | ||
MISRA-C++:2008 | : | 5-0-15, 5-0-16 | ||
MISRA-C:2004 | : | 17.1, 17.4 | ||
SEC-C | : | R1.3.1 |
This standard is not applicable to java.
Pointers which do not point to the same object cannot be logically compared, without the result being undefined behaviour.
typedef signed int Sint_32; void foo(void); /********************************************************* * Standard 437 S : Logical comparison of unlike pointers. * A/Ref: *********************************************************/ void foo(void) { Sint_32 ss1[10]; Sint_32 ss2[10]; Sint_32 *ss1_ptr = &ss1[0]; Sint_32 *ss2_ptr = &ss2[0]; if (ss1_ptr > ss2_ptr) { /* ... */ }; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Pointer subtraction cannot be performed with pointers that do not point to the same object, without the result being undefined behaviour.
typedef signed int Sint_32; void foo(void); /**************************************************************** * Standard 438 S : Pointer subtraction not addressing one array. * A/Ref: ****************************************************************/ void foo(void) { Sint_32 ss1[10]; Sint_32 ss2[10]; Sint_32 *ss1_ptr = &ss1[0]; Sint_32 *ss2_ptr = &ss2[0]; Sint_32 ss3 = ss1_ptr - ss2_ptr; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | ARR36-C, EXP08-C | ||
CWE | : | 468, 469, 758 | ||
MISRA-AC | : | 17.2 | ||
MISRA-C++:2008 | : | 5-0-17 | ||
MISRA-C:2004 | : | 17.2 | ||
SEC-C | : | R1.3.2 |
This standard is not applicable to java.
A cast from a pointer to an integral type shall not be performed. The size of integer required is implementation-defined, and, not only does the cast circumvent type integrity, the result may be undefined.
typedef signed int Sint_32; void foo(Sint_32 *ss_ptr); /****************************************************** * Standard 439 S : Cast from pointer to integral type. * A/Ref: ******************************************************/ void foo(Sint_32 *ss_ptr) { Sint_32 ss = (Sint_32)ss_ptr; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT15-C | ||
CWE | : | 681 | ||
DERA | : | 45 | ||
EADS-C++ | : | 15, 16 | ||
GJB | : | 4.12.1.1 | ||
HIC++ | : | 7.5, 7.7, 13.7 | ||
HIS | : | 45 | ||
JSF++ AV | : | 182 | ||
LMTCP | : | 328, 329 | ||
MISRA-AC | : | 11.3 | ||
MISRA-C++:2008 | : | 5-2-9 | ||
MISRA-C:1998 | : | 45 | ||
MISRA-C:2004 | : | 11.3 | ||
SEC-C | : | R2.7.1 |
This standard is not applicable to java.
A cast from an integral type to a pointer shall not be performed. The size of integer used to represent a pointer is implementation-defined, and, not only does the cast circumvent type integrity, the result may be undefined.
typedef signed int Sint_32; void foo(Sint_32 ss); /****************************************************** * Standard 440 S : Cast from integral type to pointer. * A/Ref: ******************************************************/ void foo(Sint_32 ss) { Sint_32 *ss_ptr = (Sint_32 *)ss; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT15-C | ||
CWE | : | 587, 588, 681 | ||
DERA | : | 45 | ||
EADS-C++ | : | 28 | ||
GJB | : | 4.12.2.1 | ||
HIC++ | : | 7.5 | ||
HIS | : | 45 | ||
JSF++ AV | : | 182 | ||
LMTCP | : | 328, 331 | ||
MISRA-AC | : | 11.3 | ||
MISRA-C++:2008 | : | 5-2-8 | ||
MISRA-C:1998 | : | 45 | ||
MISRA-C:2004 | : | 11.3 | ||
SEC-C | : | R2.7.1 |
This standard is not applicable to java.
The value of a complex expression of floating type shall not be explicitly converted to a different type. Only a cast to a narrower floating type is permitted.
All arithmetic operations should be performed in a consistent (underlying) type, and explicit conversions restricted, so as to avoid programmer confusion and unexpected results.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned short Uint_16; /* unsigned 16 bit integer */ typedef float Float_32; /* 64 bit floating-point */ void foo(void); /******************************************* * Standard 441 S : Float cast to non-float. * A/Ref: *******************************************/ void foo(void) { Uint_16 u16r; Float_32 f32a, f32b; /* ... */ u16r = (Uint_16)(f32a + f32b); /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The value of a complex expression of signed integer type shall not be explicitly converted to unsigned integer. Only a cast to an integer type which is of the same signedness and narrower is permitted.
All arithmetic operations should be performed in a consistent (underlying) type, and explicit conversions restricted, so as to avoid programmer confusion and unexpected results.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned int Uint_32; /* unsigned 32 bit integer */ typedef signed int Int_32; /* signed 32 bit integer */ void foo(void); /********************************************************* * Standard 442 S : Signed integral type cast to unsigned. * A/Ref: *********************************************************/ void foo(void) { Uint_32 u32; Int_32 s32a, s32b; /* ... */ u32 = (Uint_32)(s32a + s32b); /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | FLP33-C, INT02-C | ||
CWE | : | 192, 195, 197 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 365 | ||
MISRA-AC | : | 10.3 | ||
MISRA-C:2004 | : | 10.3 |
This standard is not applicable to java.
The value of a complex expression of unsigned integer type shall not be explicitly converted to signed integer. Only a cast to an integer type which is of the same signedness and narrower is permitted.
All arithmetic operations should be performed in a consistent (underlying) type, and explicit conversions restricted, so as to avoid programmer confusion and unexpected results.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef unsigned int Uint_32; /* unsigned 32 bit integer */ typedef signed int Int_32; /* signed 32 bit integer */ void foo(void); /********************************************************* * Standard 443 S : Unsigned integral type cast to signed. * A/Ref: *********************************************************/ void foo(void) { Int_32 s32; Uint_32 u32a, u32b; /* ... */ s32 = (Int_32)(u32a + u32b); /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | FLP33-C, INT02-C | ||
CERT-J | : | INT01-J | ||
CWE | : | 192, 196, 197 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 365 | ||
MISRA-AC | : | 10.3 | ||
MISRA-C++:2008 | : | 5-0-9 | ||
MISRA-C:2004 | : | 10.3 |
This standard is not applicable to java.
The value of a complex expression of integer type shall not be explicitly converted to a different type. Only a cast to an integer type which is of the same signedness and narrower is permitted.
All arithmetic operations should be performed in a consistent (underlying) type, and explicit conversions restricted, so as to avoid programmer confusion and unexpected results.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef signed int Sint_32; typedef double Float_64; /************************************************************* * Standard 444 S : Integral type cast to non-integral. *************************************************************/ Sint_32 s32a = 4; Sint_32 s32b = 3; void foo(void) { Float_64 f64 = (Float_64) (s32a + s32b); /*...*/ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Conversions to a narrower type require explicit type casting to ensure there is no unintentional loss of information. Implicit conversion is typically implementation-defined and may result in undefined behaviour.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef float Float_32; /* 32 bit float */ typedef double Float_64; /* 64 bit float */ void foo(void); /********************************************************** * Standard 445 S : Narrower float conversion without cast. * A/Ref: **********************************************************/ void foo(void) { Float_32 f32; Float_64 f64a, f64b; /* ... */ f32 = f64a + f64b; /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-J | : | FLP32-J | ||
HIC++ | : | 10.7, 10.14 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 325 | ||
MISRA-AC | : | 10.2 | ||
MISRA-C++:2008 | : | 5-0-6 | ||
MISRA-C:2004 | : | 10.2 | ||
NETRINO | : | 5.4.b |
This standard is not applicable to java.
Conversions to a narrower type require explicit type casting to ensure there is no unintentional loss of information. Implicit conversion is typically implementation-defined and may result in undefined behaviour.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
CERT-C | : | INT02-C | ||
CERT-J | : | INT30-J | ||
CWE | : | 192, 194, 197 | ||
HIC++ | : | 10.7, 10.14 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 325 | ||
MISRA-AC | : | 10.1 | ||
MISRA-C++:2008 | : | 5-0-6 | ||
MISRA-C:2004 | : | 10.1 |
This standard is not applicable to java.
The middle expression in a for loop shall perform simple constant testing of the loop control variable. In the interests of simplicity and maintainability, expressions in a for statement should be wholly concerned with loop control only.
typedef signed int Sint_32; const Sint_32 max_ind = 10; void foo(void); /*************************************************************** * Standard 447 S : Loop termination not a simple constant test. * A/Ref: ***************************************************************/ Sint_32 flag = 1; void foo(void) { for (Sint_32 index = 0; (index < max_ind) && (flag == 0); index++) { /* ... */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
Down-casting base class object pointers to a derived class shall be avoided. The use of virtual functions (polymorphism) is preferable, for example, to casting down the inheritance hierarchy to call a particular method defined by a derived class.
// // Standard 448 S : Base class pointer cast to derived class. // class Base { public: Base(); explicit Base(const Base &base); Base & operator=(const Base &base); virtual void myFunc(void); virtual ~Base(); protected: private: }; class Derived : public Base { public: Derived(); explicit Derived(const Derived &derived); Derived & operator=(const Derived &derived); virtual void myFunc(void); virtual ~Derived(); protected: private: }; void someFunc(void) { Base *base_ptr = new Derived; (static_cast<Derived *>(base_ptr))-> myFunc(); // not compliant base_ptr->myFunc(); // compliant //... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Casting up to a virtual base class object shall be avoided. The use of a cast on a pointer to traverse up the inheritance hierarchy to a base class is irreversible.
// // Standard 449 S : Derived class pointer cast to virtual base. // A/Ref: // class Base { public: Base(); explicit Base(const Base &base); Base & operator=(const Base &base); virtual void my_func(void); virtual ~Base(); protected: private: }; class Derived : public virtual Base { public: Derived(); explicit Derived(const Derived &derived); Derived & operator=(const Derived &derived); virtual void my_func(void); virtual ~Derived(); protected: private: }; Base * someFunc(void) { Derived *derived_ptr = new Derived(); return static_cast<Base*>(derived_ptr); // not compliant } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
String literals shall not be concatenated with wide string literals. If a narrow string literal token is adjacent to a wide string literal token, the behaviour is undefined.
typedef char Char_8; // // Standard 450 S : Wide string and string concatenated. // A/Ref: // void foo(void) { Char_8 *text = L"Wide string ""and string"; // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
The value of a complex expression of floating type shall not be implicitly converted to a different type without an explicit cast to ensure arithmetic consistency.
All arithmetic operations should be performed in a consistent (underlying) type, and implicit conversions restricted, so as to avoid programmer confusion and the dangers associated with integral promotion.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef float Float_32; /* 32 bit float */ typedef double Float_64; /* 64 bit float */ void foo(void); /***************************************************************** * Standard 451 S : No cast for widening complex float expression. * A/Ref: *****************************************************************/ void foo(void) { Float_64 f64; Float_32 f32a, f32b; /* ... */ f64 = f32a + f32b; /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
The value of a complex expression of integer type shall not be implicitly converted to a different type without an explicit cast to ensure arithmetic consistency.
All arithmetic operations should be performed in a consistent (underlying) type, and implicit conversions restricted, so as to avoid programmer confusion and the dangers associated with integral promotion.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
CERT-C | : | INT02-C | ||
CWE | : | 192 | ||
LMTCP | : | 325 | ||
MISRA-AC | : | 10.1 | ||
MISRA-C++:2008 | : | 5-0-3 | ||
MISRA-C:2004 | : | 10.1 | ||
SEC-C | : | R2.4.1 |
Code which may result in an exception being thrown is present in a destructor. Throwing an exception from within a destructor shall be avoided as it may result in program termination if another exception is active further up the call stack. A try-catch block may be used in the destructor to prevent the thrown exception from propagating outside, provided the catch block has no code which may in turn throw a different exception.
typedef unsigned int Uint_32; // // Standard 453 S : Throw found in destructor. // A/Ref: // class MyException { }; class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); protected: private: Uint_32 personalNumber; }; Person::~Person() { // ... throw MyException e; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Thrown exception objects shall be of class type. A class instance provides the ability to pass information via its member data to the point at which error handling is performed. Furthermore, the class type itself can be used to document the nature of the exception, thereby aiding maintainability.
typedef unsigned int Uint_32; // // Standard 454 S : Throw type is not a class type. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); explicit Person(const Person &person); Person & operator=(const Person &person); ~Person(); void my_func(void); protected: private: Uint_32 personalNumber; }; void Person::my_func(void) { // ... throw Uint_32 ie; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Catch exception blocks shall be passed arguments by reference in favour of pass-by-pointer or pass-by-value. Additional memory management is required by pass-by-pointer which may in turn cause further exceptions or memory loss if the exception object is not deleted. Information in a derived class may be sliced from the exception in the exception handler if an exception is caught by value.
typedef unsigned int Uint_32; // // Standard 455 S : Catch is not by reference. // A/Ref: // void f(void) { // ... // Uint_32 type exception thrown here // ... } void g(void) { // ... // try used with f() // ... catch (Uint_32 someInt) { // handle Uint_32 exceptions here... } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The value of an expression of floating type shall not be implicitly converted to a different type if the expression is a return type.
All arithmetic operations should be performed in a consistent (underlying) type, and implicit conversions restricted, so as to avoid programmer confusion and the dangers associated with integral promotion.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
typedef float Float_32; /* 32 bit float */ typedef double Float_64; /* 64 bit float */ Float_64 foo(void); /*************************************************************** * Standard 456 S : Implicit float widening for function return. * A/Ref: ***************************************************************/ Float_64 foo(void) { Float_32 f32a; /* ... */ return (f32a); /* not compliant */ /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | MSC31-C | ||
CWE | : | 704 | ||
HIC++ | : | 10.7, 10.14 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 325 | ||
MISRA-AC | : | 10.2 | ||
MISRA-C:2004 | : | 10.2 | ||
NETRINO | : | 5.4.b |
The value of an expression of integer type shall not be implicitly converted to a different type if the expression is a return type.
All arithmetic operations should be performed in a consistent (underlying) type, and implicit conversions restricted, so as to avoid programmer confusion and the dangers associated with integral promotion.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
CERT-C | : | INT02-C | ||
CWE | : | 192 | ||
HIC++ | : | 10.7, 10.14 | ||
JSF++ AV | : | 180 | ||
LMTCP | : | 325 | ||
MISRA-AC | : | 10.1 | ||
MISRA-C:2004 | : | 10.1 |
The value of an actual parameter shall not be implicitly converted to a different type as a result of its mapping to a formal parameter.
All arithmetic operations should be performed in a consistent (underlying) type, and implicit conversions restricted, so as to avoid programmer confusion and the dangers associated with integral promotion.
typedef unsigned int Uint_32; /* 32 bit unsigned int */ typedef unsigned long Uint_64; /* 64 bit unsigned int */ void narrow_int(Uint_32 u32b); void foo(void); /*************************************************************** * Standard 458 S : Implicit conversion: actual to formal param. * A/Ref: ***************************************************************/ void narrow_int(Uint_32 u32b) { ; /* ... */ } void foo(void) { Uint_64 u64a; /* ... */ narrow_int(u64a); } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT02-C, INT07-C | ||
CWE | : | 192, 197 | ||
DERA | : | 77 | ||
HIC++ | : | 7.8, 10.7 | ||
HIS | : | 77 | ||
MISRA-AC | : | 10.1, 10.2 | ||
MISRA-C:1998 | : | 77 | ||
MISRA-C:2004 | : | 10.1, 10.2 | ||
NETRINO | : | 5.3.c, 5.4.b |
Arrays shall not be passed as parameters. The degeneration of arrays to pointers when passed as parameters is often the source of errors. Array bounds checking is not performed on C-style arrays and undefined behaviour may arise from an attempt to access memory outside the bounds of an array. This standard does not apply when arrays are passed as parameters to library routines.
typedef unsigned int Uint_32; /* 32 bit int */ void foo(Uint_32 *uptr); void bar(void); /**************************************************** * Standard 459 S : Array passed as actual parameter. ****************************************************/ void foo(Uint_32 *uptr) { /* ... */ } void bar(void) { Uint_32 uarray[10]; /* ... */ foo(uarray); /* not compliant */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Inline and template functions shall not be defined in the implementation file. Every implementation file shall include the header files that uniquely define the inline functions and templates used, and hence enforce the one definition rule.
// // Standard 460 S : Inline or template function not in header. // A/Ref: // namespace Ldra_test_f { inline int32 min_32(int32 x1, int32 y1) { return (x1 <y1) ? x1 : y1; } template <class T> T min(T x2, T y2) { return (x2 < y2) ? x2 : y2; } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
An identifier shall be uniquely declared with either external or internal linkage in any given translation unit.
#include "misra.h" typedef MY_USHORT UI_16; /***************************************************** * Standard 461 S : Identifier with ambiguous linkage. * A/Ref: *****************************************************/ static UI_16 oops; void foo(UI_16 a) { extern UI_16 oops; /* same linkage as one visible at file scope */ { extern UI_16 oops; /* complain ambiguous linkage */ } } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
DERA | : | 24 | ||
HIC++ | : | 8.3.2 | ||
HIS | : | 24 | ||
JSF++ AV | : | 138 | ||
LMTCP | : | 251 | ||
MISRA-AC | : | 8.11 | ||
MISRA-C++:2008 | : | 3-3-2 | ||
MISRA-C:1998 | : | 24 | ||
MISRA-C:2004 | : | 8.11 | ||
NETRINO | : | 1.8.a | ||
SEC-C | : | M2.2.2, M2.2.3 |
This standard is not applicable to java.
A structure shall be fully populated upon initialisation. If there are fewer initialising data objects than the number of members, then the aggregate is padded with zeros of the appropriate type. However, the content of the padding may be garbage for an 'auto' struct.
typedef unsigned int Uint_32; typedef struct MyStruct { Uint_32 x1; Uint_32 x2; Uint_32 x3; } MyStruct; void foo(void); /**************************************************************** * Standard 462 S : Struct initialisation has insufficient items. * A/Ref: ****************************************************************/ void foo(void) { MyStruct a_struct = {1, 2}; /* ... */ } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Initialiser lists shall contain the correct number of comma separators. Superfluous use of a comma makes code confusing, and may cause an overflow outside of the bounds of the data structure being initialised.
typedef struct dpfunc { int i; void (*func)(int ii); int j; } dpfunc; extern void ut_f1(int ii); extern void ut_f2(int ii); // // Standard 463 S : Unnecessary comma in initialisation list. // A/Ref: // dpfunc dp[2] = { {1, ut_f1, 2}, {3, ut_f2, 4}, }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
Auto is the default storage class specifier and need not be explicitly declared. For a variable to be an auto, it must be defined within a function.
typedef unsigned int Uint_32; Uint_32 foo(void); /***************************************** * Standard 464 S : Use of auto specifier. * A/Ref: *****************************************/ auto Uint_32 glob_var; /* not valid here... */ Uint_32 foo(void) { Uint_32 r1; auto Uint_32 local_var; /* redundant here - 'local_var' is auto by default! */ /* ... */ return r1; } /* * * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A complete declaration of a struct/union shall be included within a translation unit. Behaviour is undefined if a struct/union type is used to define an identifier without that type being previously or subsequently specified.
struct static_465_s; /* incomplete declaration */ void foo(void); /********************************************************* * Standard 465 S : Struct/union not completely specified. * A/Ref: *********************************************************/ void foo(void) { /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An "L" suffix shall be applied to all constants of long type. Applying a suffix, or suffixes, to a numeric constant explicitly indicates its type and signedness, thereby avoiding ambiguity where implementation dependencies may apply.
typedef signed long Sint_32; typedef unsigned long Uint_32; const Sint_32 slong = 1; const Sint_32 slong_ok = 1L; const Uint_32 ulong = 2U; const Uint_32 ulong_ok = 2UL; void foo(void); /************************************************* * Standard 466 S : Long literal with no L suffix. * A/Ref: *************************************************/ void foo(void) { /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
A virtual member shall not be invoked from a class constructor. The method for the current class, or its base, will always be called, even when invoked as part of the construction of a derived class.
// // Standard 467 S : Virtual member called in constructor. // A/Ref: // class Person { public: Person(); virtual void func(); protected: private: }; class Student : public Person { public: Student() : Person() { func() }; // Person::func called not Student::func virtual void func(); protected: private: }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
In order to support the one definition rule (ODR), declarations are required to be made once (preferably in a shared header file), regardless of scope or namespace, to safeguard against duplicate definitions.
// // Standard 468 S : Member function redeclared. // A/Ref: // namespace H { namespace G { class HM { public: HM(){}; virtual ~HM(); protected: private: }; } // namespace H } // namespace G namespace H { namespace G { HM::HM(); // redeclaration HM::~HM() {}; } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
A copy constructor shall be declared for classes that contain non-trivial destructors, i.e. manage resources.
The default copy constructor provided by the compiler performs a bitwise or shallow copy, resulting in a shared resource when a duplicated resource may be necessary. An explicit declaration makes the intention clear.
typedef unsigned int Uint_32; // // Standard 469 S : No copy constructor for complex destructor. // A/Ref: 6.1.11.5 // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person); ~Person() { release_resources() }; // non-trivial destructor protected: private: Uint_32 personalNumber; void release_resources(void); }; void foo(void) { Person p1(10); Person q1(p1); // invokes (compiler provided) copy constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A copy assignment operator shall be declared for classes that contain non-trivial destructors, i.e. manage resources.
The default assignment operator provided by the compiler performs a bitwise or shallow copy, resulting in a shared resource when a duplicated resource may be necessary. An explicit declaration makes the intention clear.
typedef unsigned int Uint_32; // // Standard 470 S : No assignment operator for complex destrtor. // A/Ref: 6.1.11.5 // class Person { public: Person(); explicit Person(const Uint_32 person_num); explicit Person(const Person &person); ~Person() { release_resources() }; // non-trivial destructor protected: private: Uint_32 personal_number; void release_resources(void); }; void foo(void) { Person p1(10); Person q1(10); q1 = p1; // invokes (compiler provided) copy assignment constructor } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Functions that do not have a void return type must return a value which is significant, i.e. that requires processing.
Return values which may or may not be required are potentially confusing.
typedef signed int Sint_32; Sint_32 foo(void); /*************************************************** * Standard 471 S : Function returns constant value. * A/Ref: ***************************************************/ Sint_32 foo(void) { /* ... */ return 42; /* returns a constant value */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
Every declaration shall have a sidebar comment indicating the purpose of the object or function. Commenting the code in this way improves readability and maintainability.
void foo(void); char * entry_name = "Anon."; int enrty_number = 0; /* Id of current entry - comment provided, * unlike prior function & variable declarations */ /************************************************ * Standard 472 S : No comment after declaration. * A/Ref: ************************************************/ void foo(void) { /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
Typedefs shall not be used. For the sake of clarity, it is preferred that programmer-defined data types be represented explicitly in the code.
#define STRING_BUFFER_LENGTH 256 typedef struct { int stringSize; char stringBuffer[STRING_BUFFER_LENGTH]; } sized_string; struct another_string { int stringLength; char stringContainer[STRING_BUFFER_LENGTH]; }; void foo(void); /********************************************** * Standard 473 S : Typedef should not be used. * A/Ref: **********************************************/ void foo(void) { sized_string myString; /* create an instance of typedef struct */ struct another_string myContainer; /* explicit definition of struct type instance */ /* ... */ myContainer.stringLength = myString.stringSize; memcpy(myContainer.stringContainer, myString.stringBuffer, myContainer.stringLength); /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Enumeration names shall be all upper case. Making enumerated constants all upper case aids readability of the code, enabling the programmer to easily distinguish between literal constants and variable/function names.
typedef enum Bool { FALSE, /* OK - all upper case */ TRUE /* OK - all upper case */ } Bool; typedef enum MyEnum { First, /* Not OK - mixed lower and upper case */ Second, /* Not OK - mixed lower and upper case */ THIRD /* OK */ } MyEnum; void foo(MyEnum ee); /*************************************************** * Standard 474 S : Enum name is not all upper case. * A/Ref: ***************************************************/ void foo(MyEnum ee) { Bool top_two = FALSE; /* ... */ if (ee == First) { top_two = TRUE; } else { if (ee == Second) { top_two = TRUE; } else { top_two = FALSE; } } /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
LMTCP | : | 75 |
This standard is not applicable to java.
Function parameters shall be marked by standard macros to indicate whether they are input (IN), output (OUT), or bidirectional (INOUT), immediately before the parameter type.
#define IN typedef signed int Sint_32; Sint_32 foo(IN Sint_32 si); /* Use of a (empty) standard macro * to mark direction of parameter. */ /********************************************************** * Standard 475 S : Parameter needs an IN/OUT/INOUT marker. * A/Ref: **********************************************************/ Sint_32 foo(Sint_32 si) /* Direction marker omitted ! */ { /* ... */ return si; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Array subscripts must always be zero or positive. Hence any variable used to index into an array shall be of an unsigned type.
typedef signed int Sint_32; typedef unsigned int Uint_32; void foo(Sint_32 si); /************************************************* * Standard 476 S : Array index not unsigned. * A/Ref: *************************************************/ void foo(Sint_32 si) { Uint_32 my_array[3] = {0, 0, 0}; /* ... */ Uint_32 element = my_array[si]; /* signed index into array */ /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The body of an else that follows a final else if shall contain either a non-null statement (action) or a suitable comment to indicate that the alternative case has been considered.
typedef enum Pos { FIRST, SECOND, THIRD } Pos; typedef enum Bool { FALSE, TRUE } Bool; Bool foo(const Pos xx); /******************************************************* * Standard 477 S : Empty else clause following else if. * A/Ref: *******************************************************/ Bool foo(const Pos xx) { Bool top_two; /* ... */ if (xx == FIRST) { top_two = TRUE; } else if (xx == SECOND) { top_two = TRUE; } else { ; } /* Not compliant - no action or comment present */ /* ... */ return top_two; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
Macro names using one of the special prefixes, as identified in section 7.13 of the ISO/IEC 9899:1999 C programming standard and referenced by MISRA, shall not be defined, redefined or undefined.
This standard will only be enabled by configuring the modifier 316 in the creport.dat file. Instructions for making alterations can be found in the report.dat file.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by configuring the modifier 191 in the creport.dat (TBmisra license permitting).
#include "c_standards.h" #define isillegal 11 #define total 12 /**************************************************** * Standard 478 S : Misra special prefix banned name. ****************************************************/ SINT_32 static_478(SINT_32 p1) { SINT_32 result = total + (p1 * isillegal); return result; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to c++ and java.
A right bit shift operation shall not be performed when the number of bits shifted results in the value held by the lvalue operand to be lost.
typedef unsigned char Uint_8; void foo(void); /********************************************** * Standard 479 S : Right shift loses all bits. * A/Ref: **********************************************/ void foo(void) { Uint_8 ss = 15U; Uint_8 res; res = ss >> 4U; /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
An object shall not be copied to another when the two objects have some overlap in memory. The behaviour is undefined. This standard applies to the string handling library functions.
/****************************************************** * Standard 480 S : String function params access same variable. ******************************************************/ void static_480(void) { char str[] = {"ABCDEFGHIJKLMNOPQRSTUVWXYZ"}; (void)memcpy(&str[10], &str[13], 6U); /* ... */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
A user-defined structure or union type declaration shall be complete within any translation unit that refers to it. Specifically this standard stipulates that no incomplete array definitions be permitted in a structure or union. Such behaviour is a constraint error, but may not be detected by all compilers.
#include "c_standards.h" /******************************************************************* * Standard 481 S : Array with no bounds in struct * A/Ref: *******************************************************************/ void static_481 ( void ); void static_481 ( void ) { struct static_481_tag { int8_t a; int8_t b [ ]; /* Not Ok - no bounds given */ }; struct static_481_tag static_481_st = { 1, { 2, 3, 4 } }; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
A user-defined structure or union type declaration shall be complete within any translation unit that refers to it.
An exception to the rule concerns the use opaque pointers, where the internal implementation is hidden using a pointer. This allows the implementation of the whole interface to change without the need to recompile the modules using it.
#include "c_standards.h" /******************************************************************* * Standard 482 S : Incomplete structure referenced * A/Ref: *******************************************************************/ void static_482 ( void ); extern struct st *pst1; extern struct st *pst2; void static_482 ( void ) { struct st1 s; /* Not Ok */ pst2 = pst1; /* Ok - use of opaque pointer */ *pst2 = *pst1; /* Not Ok */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
free de-allocates the memory pointed to by the specified parameter, and makes it available for other use. Before free is called, memory must have been allocated (on the heap).
#include "c_standards.h" /******************************************************************* * Standard 483 S : free parameter is not heap item. * A/Ref: *******************************************************************/ struct S { UINT_32 ac; UINT_32 bc; }; void static_483 ( void ); void static_483 ( void ) { UINT_32 ic; UINT_32 *jc; struct S *sptr; sptr = (struct S*)malloc(sizeof(struct S)); jc = ⁣ free(jc); /* Not ok - free performed on non-heap item */ free(sptr); /* Ok */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Once memory for an object has been de-allocated, the pointer that was used to identify the location of the object no longer points to a valid address. A freed object shall not be accessed.
#include "c_standards.h" /******************************************************************* * Standard 484 S : Attempt to use already freed object * A/Ref: *******************************************************************/ struct S { UINT_32 ac; UINT_32 bc; }; void static_484 ( void ); void static_484 ( void ) { UINT_32 ic; struct S *sptr; sptr = (struct S*)malloc(sizeof(struct S)); free(sptr); ic = sptr->ac; /* Not ok - use after free, dereferencing freed pointer "p" */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
To destroy an array and ensure that all destructors are called, delete[] must be used rather than delete. Failure to invoke destructors for each array element may result in memory leaks.
#include "c_standards.h" // // Standard 485 S : Array deletion without [] // A/Ref: // class helper { // Resources dynamically allocated in constructor // and destroyed in destructor. }; void static_485( void ); void static_485( void ) { helper * buffer = new buffer[10]; delete buffer; // Not Ok - should be "delete[] buffer"/ } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
CWE | : | 762 |
This standard is not applicable to c and java.
Arguments of an output function shall each be associated with a format code. Omission of a format code is likely to result in the incorrect representation of any output.
#include "c_standards.h" /******************************************************************* * Standard 486 S : Insufficient format in output string. * A/Ref: *******************************************************************/ void static_486 ( char * my_string ); void static_486 ( char * my_string ) { printf ( string ); /* Not ok - missing format string */ printf ( "My string is %s", string ); /* Ok */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
When allocating space to an object from heap/free store, enough space shall be reserved to fully accommodate the object. Access to under-allocated memory may result in reading out of bounds or overwriting adjacent memory locations.
#include "c_standards.h" #include <stdlib.h> /******************************************************************* * Standard 487 S : Insufficient space for operation * A/Ref: *******************************************************************/ struct S { UINT_32 ac; UINT_32 bc; CHAR cc[100]; }; void static_487 ( void ); void static_487 ( void ) { UINT_32 tt; struct S *sptr; sptr = (struct S*)malloc(sizeof(sptr)); /* Not ok - should be "sizeof(*sptr)" */ sptr->ac = 0; sptr->bc = 0; tt = sptr->bc; /***/ free(sptr); } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
All operations shall be conducted in exactly the same arithmetic (underlying) type. Irrespective of implementation, operands must be within the range of the underlying type used. Mismatching types leads to unexpected results.
#include "c_standards.h" /******************************************************************* * Standard 488 S : Outside range of underlying type * A/Ref: *******************************************************************/ void static_488 ( void ); void static_488 ( void ) { SCHAR s8a = 0; SCHAR s8b = 0; /***/ s8a = s8a + 127; /* Ok */ s8b = s8b + 150; /* Not ok - addition performed in 8-bit signed */ } /* and so "150" too big */ /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
CERT-C | : | INT08-C | ||
CWE | : | 190 | ||
HIC++ | : | 6.3 | ||
MISRA-AC | : | 10.1 | ||
MISRA-C:2004 | : | 10.1 | ||
NETRINO | : | 5.3.c | ||
SEC-C | : | R2.3.1 |
This standard is not applicable to java.
When copying from source to destination, the destination must not overrun as a result of the operation. Overrun leads to data corruption. Standards 66 X, 70 X and 71 X report copies via procedure calls.
#include "c_standards.h" /******************************************************************* * Standard 489 S : Insufficient space for operation *******************************************************************/ void static_489 ( void ); void static_489 ( void ) { char source[200]; char destination[100]; /***/ strncpy( destination, source, 200 ); /* Not ok - destination is overrun */ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
Implicit conversions shall be avoided for function arguments. A widening conversion on a float parameter must be made explicit by the use of a cast. The use of a cast makes clear the intention to convert from one type to another type.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
#include "c_standards.h" /******************************************************************* * Standard 490 S : No cast for widening float parameter * A/Ref: *******************************************************************/ extern void helper64( FLOAT_64 h1 ); extern void helper32( FLOAT_32 h2 ); void static_490( void ); void static_490( void ) { /***/ FLOAT_32 s1; helper32(s1); /* Ok */ helper64((FLOAT_64)s1); /* Ok - use of a cast */ /***/ helper64(s1); /* Not ok - implicit widening conversion */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to c++.
Implicit conversions shall be avoided for function arguments. A widening conversion on a integer parameter must be made explicit by the use of a cast. The use of a cast makes clear the intention to convert from one type to another type.
Note that MISRA-C:2004 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA C2 programming model or by explicitly enabling the 191 entry configuration flag in the c/cppvals.dat file (TBmisra license permitting).
#include "c_standards.h" /******************************************************************* * Standard 491 S : No cast for widening int parameter * A/Ref: *******************************************************************/ extern void helper32( UINT_32 h1 ); extern void helper16( UINT_16 h2 ); void static_491( void ); void static_491( void ) { /***/ UINT_16 s1; helper16(s1); /* Ok */ helper32((UINT_32)s1); /* Ok - use of a cast */ /***/ helper32(s1); /* Not ok - implicit widening conversion */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to c++.
Each parameter, after the first, should be positioned on a new line by itself (with the closing parenthesis directly after the last argument). Declaring and defining functions in this way aids readability. This LDRA penalty is not applicable to code substituted into the source through macro expansion, as these checks are based on the original code and do not extend to macro definitions.
This standard can be relaxed to allow the parameters of a function with only two parameters to appear on the same line by configuring the modifier 220 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" /******************************************************************* * Standard 492 S : Parameter not declared on a newline *******************************************************************/ void static_492( UINT_32 p1, UINT_32 p2, UINT_32 p3, /* not compliant */ UINT_32 p4 ) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
Run-time operations on numeric variables that result in a value outside of the range of its type shall be avoided. Although wrap-around actions are sometimes intended, the practice is regarded as unsafe.
#include "c_standards.h" static void static_493( void ); /******************************************************************* * Standard 493 S : Numeric overflow *******************************************************************/ static void static_493( void ) { /* char assumed to be signed */ CHAR my_schar = 127; /* 8-bit signed char types are in the range -128 to 127. */ my_schar++; /* Not ok - exceeded the maximum value. */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
CAST | : | 5.6.3 | ||
CERT-C | : | INT32-C | ||
CERT-J | : | INT03-J | ||
CMSE | : | 6.1.14 | ||
CWE | : | 128, 190, 192, 197, 680, 758 | ||
GJB | : | 4.6.1.14 | ||
HIS | : | 51 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C++:2008 | : | 5-19-1 | ||
MISRA-C:1998 | : | 51 | ||
MISRA-C:2004 | : | 21.1 |
Run-time operations on numeric variables that result in a value outside of the range of its type shall be avoided. Although wrap-around actions are sometimes intended, the practice is regarded as unsafe.
#include "c_standards.h" static void static_494( void ); /******************************************************************* * Standard 494 S : Numeric underflow *******************************************************************/ static void static_494( void ) { /* char assumed to be signed */ CHAR my_schar = -128; /* 8-bit signed char types are in the range -128 to 127. */ my_schar--; /* Not ok - exceeded the minimum value. */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
CAST | : | 5.6.3 | ||
CERT-C | : | INT32-C | ||
CERT-J | : | INT03-J | ||
CMSE | : | 6.1.14 | ||
CWE | : | 128, 190, 191, 192, 197, 680, 758 | ||
GJB | : | 4.6.1.14 | ||
HIS | : | 51 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C++:2008 | : | 5-19-1 | ||
MISRA-C:1998 | : | 51 | ||
MISRA-C:2004 | : | 21.1 |
The use of typedefs, as opposed to the basic numerical types, is encouraged to clarify the size of the storage. To ensure that the aim is fulfilled, each typedef must incorporate a value to indicate the size in bits.
A typedef that includes the phrase bool need not include a size. The phrase bool is not case sensitive.
typedef unsigned int uint32_t; /* Ok */ typedef int Boolean; /* Ok */ typedef unsigned short my_uint; /* Not ok - should indicate size, e.g. uint16_t */ static void static_495( void ); /******************************************************************* * Standard 495 S : Typedef name has no size indication * A/Ref: *******************************************************************/ static void static_495( void ) { my_uint local_var; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of function prototypes enables the compiler to enforce the consistent use of a function interface, without the necessity to make assumptions about argument types for instance. If a function is to be invoked before it has been defined then the a prototype shall have previously been declared.
#include "c_standards.h" static void static_496( void ); /******************************************************************* * Standard 496 S : Function call with no prior declaration * A/Ref: *******************************************************************/ static void static_496( void ) { /***/ UINT_32 my_local = 42U; /***/ static_496_helper(); /* No prior declaration */ /***/ } static void static_496_helper( SINT_16 p1 ) /* Not compatible with earlier implicit declaration */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to c++ and java.
A structure or union type shall not remain partially specified in a translation unit. Behaviour is undefined for any object that refers to an incomplete type.
#include "c_standards.h" static void static_497( void ); /******************************************************************* * Standard 497 S : Type is incomplete in translation unit * A/Ref: *******************************************************************/ static void static_497( void ) { /***/ struct st s1; /* struct st is not specified */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The inline keyword should not be used for member functions. Implicit inlining by means of putting the definition in the class body is preferred. This will instruct the compiler to inline rather than merely provide a hint to do so.
#include "c_standards.h" // // Standard 498 S : Use of inline keyword // A/Ref: // class MyClass { public: UINT_32 impl_in_method(void) { return 1U; } // ok UINT_32 expl_in_method1(UINT_32 m1p); inline UINT_32 expl_in_method2(UINT_32 m2p) { return m2p*2; } // not ok }; void static_498( void ); inline UINT_32 MyClass::expl_in_method1(UINT_32 m1p) { return m1p*2; } // not ok void static_498( void ) { MyClass * buffer = new MyClass; UINT_32 res1 = buffer->impl_in_method(); UINT_32 res2 = buffer->expl_in_method1(res1); UINT_32 res3 = buffer->expl_in_method2(res2); // ... delete buffer; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
HIC++ | : | 3.1.7 |
This standard is not applicable to java.
The use of default arguments to a copy constructor gives rise to ambiguity with compiler-supplied implicit copy constructors. Default parameters should be used with caution.
#include "c_standards.h" // // Standard 499 S : Too many default parameters in copy ctor. // A/Ref: // class MyClass { public: MyClass(); // A default copy ctor will be created by compiler... MyClass(const MyClass & mc, UINT_32 m_b = 42U) // not ok { m_a = mc.m_a * 2; } protected: private: UINT_32 m_a; UINT_32 m_b; }; void static_499( MyClass & mcp ); void static_499( MyClass & mcp ) { MyClass * buffer = new MyClass(mcp); // which copy ctor is called? // ... delete buffer; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
JSF++ AV | : | 77.1 |
This standard is not applicable to c and java.
All classes should provide an output operator to facilitate debugging and testing of code.
//LDRA_STANDARD_ON 500 S #define __USE_STD_IOSTREAM #include "c_standards.h" #include <iostream> // // Standard 500 S : Class does not have a << output operator. // A/Ref: // class MyClass { public: MyClass() { m_data = "initial ";} // // No overloaded 'operator <<' - not ok // ostream & operator <<(ostream & outp) { outp << m_data << "and more text "; return outp; } // char * m_data; protected: private: }; void static_500( void ); void static_500( void ) { MyClass buffer; // ... // buffer << cout; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
HIC++ | : | 3.1.12 |
This standard is not applicable to c and java.
A pure virtual method signifies an abstract base class. The implementation of its pure virtual methods shall be provided by non-abstract classes, which derive from the base class, and not the base class itself.
#include "c_standards.h" // // Standard 501 S : Pure virtual member defined. // A/Ref: // void static_501( void ); class Base { public: virtual void pvf_member(void)=0; protected: private: }; void Base::pvf_member(void) { ; } // not ok class Derived : public Base { public: void pvf_member(void) { ; } // ok - overridden here in derived class }; void static_501( void ) { Derived * buffer = new Derived; // ... delete buffer; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The number of elements shall not be specified when deleting an array of objects. The feature is obsolete and non-standard ISO C++.
#include "c_standards.h" // // Standard 502 S : Delete contains number of elements. // A/Ref: // class MyClass { public: MyClass(); protected: private: }; void static_502( void ); void static_502( void ) { MyClass * buffer = new MyClass[3]; delete [2] buffer; // not ok UINT_32 * uint_array = new UINT_32[5]; delete [3] uint_array; // not ok SINT_32 * int_array = new SINT_32[7]; delete [] int_array; // ok // ... } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
HIC++ | : | 12.4 |
This standard is not applicable to c and java.
A dereferenced pointer (or reference) to a dynamically allocated local object shall not be returned by a function. Ownership of the resource is effectively transferred by the call, which may not be clear, resulting in 'dangling' handles.
#include "c_standards.h" // // Standard 503 S : Function returns local resources. // A/Ref: // class MyClass { public: MyClass(); protected: private: }; MyClass static_503( void ); MyClass static_503( void ) { MyClass * buffer = new MyClass; return * buffer; } int main(void) { MyClass mc2; mc2 = static_503(); // not ok - resources have been created by call // return 0; } // // // Copyright (c) 2007 Liverpool Data Research Associates // //
This standard is not applicable to java.
Nested template arguments lead to successive > symbols, which could be interpreted as a shift operator if not delimited by a space character. Failure to insert a space between angle brackets may cause confusion.
#include "c_standards.h" // // Standard 504 S : Space required between > and >. // template <class A, class B> class Outer {}; template <class C> class Inner {}; void static_504( void ); void static_504( void ) { Outer <UINT_32,Inner <UINT_32>> notok; Outer <UINT_32, Inner <UINT_32> > ok; //... } int main(void) { static_504(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
This standard is not applicable to c.
In declaring the control variable in the for loop, scope of that variable is limited (and is specific) to that for loop.
#include "c_standards.h" #define MAX_SIZE 10U // // Standard 505 S : Control variable not declared in for loop. // void static_505( void ); void static_505( void ) { UINT_16 loop_var1; for (loop_var1 = 0U; loop_var1 < MAX_SIZE; loop_var1++) // Not ok { ; } for (UINT_32 loop_var2 = 0U; loop_var2 < MAX_SIZE; loop_var2++) { ; } } int main(void) { static_505(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
HIC++ | : | 5.12 |
This standard is not applicable to c.
Do not use expressions with type bool as operands to relational operators <, >, <=, and >=. The use these operators is unlikely to lead to results that match the developers expectations.
Note that MISRA-C++:2008 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA-C++:2008 programming model or by configuring the modifier 331 in the creport.dat file. (TBmisra license permitting). Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" // // Standard 506 S : Use of boolean with relational operator. // void static_506( const bool b1, const bool b2 ) { if (b1 < b2) // not compliant. { // ... } else { // ... } } int main(void) { UINT_32 yy, zz; bool xx = true; //... static_506(xx, (yy==zz)); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 4-5-1 |
This standard is not applicable to c and java.
Explicit casts applied to a complex expression of floating-point type may lead to unexpected results. Arithmetic is likely to be performed prior to conversion which may come as a surprise to the developer.
#include "c_standards.h" // // Standard 507 S : Explicit cast from integral to floating point type. // void static_507( const SINT_32 p1, const SINT_32 p2); void static_507( const SINT_32 p1, const SINT_32 p2) { FLOAT_32 ff; ff = static_cast < FLOAT_32 > ( p1 / p2 ); // Not ok. } int main(void) { SINT_32 i1,i2; //... static_507(i1, i2); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 5-0-7 |
This standard is not applicable to c.
By taking the address of an object of incomplete type, where the complete type contains an overloaded definition of the operator &, behaviour is undefined.
#include "c_standards.h" // // Standard 508 S : Operator & overloaded. // class MyClass; void befoo( MyClass & mm ); void static_508( MyClass & mm ); void befoo( MyClass & mm ) { &mm; // built-in operator & } class MyClass { public: MyClass * operator & (); // Not ok }; void static_508( MyClass & mm ) { &mm; // overloaded operator & } int main(void) { MyClass my_c; //... befoo( my_c ); static_508( my_c ); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 5-3-3 |
This standard is not applicable to c and java.
A backwards jump from a goto to a label can create iterations. The well defined iteration statements shall be used in preference. The use of goto statements is restricted to forward jumps to a label inside the same procedure.
#include "c_standards.h" // // Standard 509 S : Goto label is backwards. // void static_509( const UINT_32 p1 ); void static_509( const UINT_32 p1 ) { UINT_32 xx = 0; //... lab1: xx++; if ( p1 > xx ) { goto lab2; // Ok } else { goto lab1; // Not ok - results in an iteration } lab2: xx++; //... } int main(void) { //... static_509( 42U ); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 6-6-2 |
This standard is not applicable to java.
Loop counters that are incremented such that values may be skipped should not be tested with == or !=. The loop may not terminate.
#include "c_standards.h" #define MAX_SIZE 10U // // Standard 510 S : Loop counter increment and operator defect. // void static_510( void ); void static_510( void ) { for (UINT_32 loop_var = 1U; loop_var != MAX_SIZE; loop_var +=2U) { ; } } int main(void) { //... static_510(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 6-5-2 |
The use of goto is restricted such that any label referenced by a goto should be in the same block or in an outer block that encloses the goto statement. Non compliance leads to complicated flow graphs and code that is difficult to maintain.
#include "c_standards.h" // // Standard 511 S : Jump into nested block. // void static_511( UINT_32 p1 ); void static_511( UINT_32 p1 ) { UINT_32 local = 0U; UINT_32 action = 0U; goto lab1; for(local; local < MAX_SIZE; local++) { lab1: action += p1; } } int main(void) { //... static_511(5U); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 6-6-1 |
The use of unnamed namespaces in header files is not permitted. An unnamed namespace shall be unique within each translation unit. By declaring an entity in a header file within an unnamed namespace, that entity may span translation units but will not be common, which the developer may not expect.
.h file // // Standard 512 S : Use of unnamed namespace. // namespace { extern UINT_32 stat_dur; // Not ok } void static_512( UINT_32 p1 ); // // // Copyright (c) 2008 Liverpool Data Research Associates // // .cpp file // // Standard 512 S : Use of unnamed namespace. // namespace { UINT_32 stat_dur; } void static_512( UINT_32 p1 ) { stat_dur = p1; // Only visible within this translation unit... //... } int main( void ) { //... static_512(5U); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 7-3-3 |
This standard is not applicable to c and java.
Using-declarations or fully qualified names shall be adopted in favour of using-directives, as the latter adds additional scopes. Further lookups lead to the introduction of possibly unnecessary and potentially confusing extra identifiers.
#include "c_standards.h" // // Standard 513 S : Use of using directive. // namespace NS1 { UINT_32 a1; UINT_32 b1; UINT_32 c1; } using namespace NS1; // Not ok - using directive. namespace NS2 { UINT_32 a2; UINT_32 b2; UINT_32 c2; } using NS2::b2; // Ok - using declarative. namespace NS3 { UINT_32 a3; UINT_32 b3; UINT_32 c3; } void static_513( void ) { ++a1; // b1, c1 also visible but not required. ++b2; ++NS3::c3; } int main( void ) { //... static_513(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The placement of using-directives and using-declarations shall be avoided in header files, so that the behaviour of a program cannot be affected by the order in which header files are included.
.h file 1 #include "c_standards.h" // // Standard 514 S : Using directive or declaration in header. // void func_514( UINT_32 ); namespace NS1 { void func_514( UCHAR ); } // // // Copyright (c) 2008 Liverpool Data Research Associates // // .h file 2 // // Standard 514 S : Using directive or declaration in header. // namespace NS1 { } using namespace NS1; // Not ok - using directive. // // // Copyright (c) 2008 Liverpool Data Research Associates // // .cpp file #include "static_514_2.h" #include "static_514_1.h" // // Standard 514 S : Using directive or declaration in header. // void static_514( void ) { func_514( 0U ); // Calls UCHAR version, but if the order of the // header files switched then UINT_32 version called. } int main( void ) { //... static_514(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Variable declarations shall not be combined with other declarators. Multiple declarators may lead to confusion regarding the type of an identifier.
Note that MISRA-C++:2008 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA-C++:2008 programming model or by configuring the modifier 331 in the creport.dat file. (TBmisra license permitting). Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" // // Standard 515 S : More than one variable in declaration. // UINT_16 * a1, b1 = 0; void static_515( void ) { UINT_32 * local = NULL; local = (UINT_32 *)b1; // Developer mistakenly believes b1 to be // a pointer type? } int main( void ) { //... static_515(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 8-0-1 |
This standard is not applicable to c and java.
Assembly code must be embedded using the standard asm keyword. Parameters to asm are still implementation-dependent, but it at least allows a consistent mechanism and aids portability.
#include "c_standards.h" // // Standard 516 S : Assembler does not use asm declaration. // void static_516_ok( void ); void static_516_notok( void ); void static_516_ok( void ) { asm("NOP"); } void static_516_notok( void ) { #pragma asm "NOP" #pragma endasm } int main( void ) { //... static_516_ok(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 7-4-2 |
This standard is not applicable to c and java.
The global namespace shall only contain main, namespace declarations and extern "C" declarations. The use of namespaces reduces the names found during lookup, reducing the chance of accidentally using an identifier in error.
#include "c_standards.h" // // Standard 517 S : At least one declaration in global namespace. // UINT_32 global; // Not ok. void static_517_1( void ); // Not ok. namespace { UINT_32 stat_dur; } namespace NS1 { void static_517_2( void); void static_517_2( void ) { //... } } void static_517_1( void ) { //... } int main( void ) { //... static_517_1(); NS1::static_517_2(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 7-3-1 |
This standard is not applicable to c and java.
A using-declaration shall not be straddled by multiple declarations for an identifier in the same namespace. Subsequent declarations after the using-declaration are not included when lookup occurs, which the developer may not expect.
#include "c_standards.h" // // Standard 518 S : Using declaration is straddled by declarations. // void static_518( void ); namespace NS1 { void func_518( UINT_16 ); } using NS1::func_518; namespace NS1 { void func_518( UINT_32 ); // Not ok. } void static_518( void ) { func_518( 0U ); } int main( void ) { //... static_518(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
MISRA-C++:2008 | : | 7-3-5 |
This standard is not applicable to c and java.
A function shall not return a reference or a pointer to a parameter that is passed by reference. Whether or not a temporary object is created for the parameter is implementation-defined. However, if a local copy is used, returning a reference or a pointer leads to undefined behaviour.
#include "c_standards.h" // // Standard 519 S : Return of reference parameter. // UINT_32 & static_519( UINT_32 & p1 ); UINT_32 & static_519( UINT_32 & p1 ) { return ( p1 ); } int main( void ) { UINT_32 xx; UINT_32 yy; yy = static_519(xx); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Explicitly signed or unsigned integrals, or bool, shall be used for bit-fields. Using plain integer or an enumerated type is implementation-defined with regards to the underlying type representation as signed or unsigned.
#include "c_standards.h" // // Standard 520 S : Bit field is not bool or explicit integral. // namespace { struct S { int xx : 2; }; } void static_520( void ); void static_520( void ) { struct S st; //... } int main( void ) { static_520(); //... return 0; } // // // Copyright (c) 2008 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
The use of classes that are derived from virtual base classes can lead to unexpected behaviour.
#include "c_standards.h" static void static_521( void ); /******************************************************************* * Standard 521 S : Class derived from virtual base class. *******************************************************************/ class base521 { void proc(); private: SINT_32 ff; }; class deriv521: virtual base521 /* not compliant */ { }; static void static_521( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 10-1-1 |
This standard is not applicable to c and java.
The copy assignment operator shall not be declared public in an abstract class, as it results in only the base sub-objects being copied. This can lead to unexpected behaviour.
#include "c_standards.h" static void static_522( void ); /******************************************************************* * Standard 522 S : Public assign operator in abstract class. *******************************************************************/ class c522 { public: c522 & operator = ( c522 & xx ); /* not compliant */ virtual void proc() = 0; }; static void static_522 ( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
If a pointer object to dynamically created memory is thrown, it may be unclear which function is then responsible for destroying it. To avoid this problem, exceptions should never be thrown as pointers.
#include "c_standards.h" static void static_523( void ); /******************************************************************* * Standard 523 S : Exception type is pointer. *******************************************************************/ class c523 { SINT_32 ff; }; static void static_523( void ) { /***/ c523 ac523; c523 * ptr = & ac523; try { throw (ptr); /* not compliant */ } catch ( c523 * pp ) { } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-0-2 |
This standard is not applicable to c and java.
A jump into a try or catch statement is illegal in C++. However, not all compilers will issue an error.
#include "c_standards.h" static void static_524( void ); /******************************************************************* * Standard 524 S : Jump into try or catch statement. *******************************************************************/ // note that this problem is usually caught by a compiler. static void static_524( void ) { /***/ SINT_32 aa = 7; if ( aa == 0 ) { goto l1; /* not compliant */ } try { SINT_32 ss = 0; l1: ss = 2; /* not compliant */ } catch(...){ } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-0-3 |
This standard is not applicable to c.
throw(NULL) is always caught by an integer handler. Developers might expect it to be caught by a pointer handler. An explicit cast on NULL to a pointer should be used.
#include "c_standards.h" static void static_525( void ); /******************************************************************* * Standard 525 S : throw with explicit NULL. *******************************************************************/ static void static_525( void ) { /***/ try { throw( NULL ); /* not compliant */ } catch(SINT_32 * pp) { } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-1-2 |
This standard is not applicable to c.
An empty throw (throw;) shall only be used in a catch statement, otherwise the behaviour of the program is dependent on the implementation.
#include "c_standards.h" static void static_526( void ); /******************************************************************* * Standard 526 S : Empty throw is not in catch statement. *******************************************************************/ static void static_526( void ) { throw; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-1-3 |
This standard is not applicable to c.
A master exception handler should exist that catches all unhandled exceptions. Otherwise, the behaviour of the program is dependent on the implementation.
#include "c_standards.h" static void static_527( void ); /******************************************************************* * Standard 527 S : No master exception handler. *******************************************************************/ INT main ( void ) { /***/ ; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c.
All constructors of a class should explicitly call a constructor for its immediate base classes and virtual base classes. This can lead to unexpected behaviour as it may not be obvious which constructors are used. Testbed adds the required base class constructors.
#include "c_standards.h" static void static_528( void ); /******************************************************************* * Standard 528 S : Base class constructor omitted (added by Testbed) *******************************************************************/ class base528 { public: }; class no_base_ctor_528: base528 { public: no_base_ctor_528() /* not compliant */ { } } ; static void static_528( void ) { no_base_ctor_528 a528; } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 12-1-2 |
This standard is not applicable to c.
Static members shall not be changed in constructors. Otherwise the behaviour of the program is dependent on the implementation.
#include "c_standards.h" static void static_529( void ); /******************************************************************* * Standard 529 S : Static member initialised/assigned in constructor. *******************************************************************/ class cl529 { public: cl529() { ff529 = 7; /* not compliant */ } private: static SINT_16 ff529; }; static void static_529( void ) { cl529 a529; } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 12-8-1 |
This standard is not applicable to c.
NULL has the value 0, which is both an integer and the value for a null pointer. It is recommended that NULL be used as the null pointer constant and 0 for the integer zero.
#include <stdlib.h> #include "c_standards.h" static void static_530( void ); /******************************************************************* * Standard 530 S : NULL used in integer context. *******************************************************************/ static void static_530( void ) { /***/ UINT_32 xx = 0; if( xx == NULL ){;} /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 4-10-1 |
The literal value 0 is both an integer and the value for a null pointer. It is recommended that NULL be used as the null pointer constant and 0 for the integer zero.
#include <stdlib.h> #include "c_standards.h" static void static_531( void ); /******************************************************************* * Standard 531 S : Literal zero used in pointer context. *******************************************************************/ static void static_531( void ) { /***/ UINT_32 * pxx = NULL ; if( pxx == 0 ) {;} /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
There should be an explicit copy constructor if a template copy constructor is present, otherwise a default constructor is generated by the compiler. The programmer may be surprised when the default constructor is called in preference to the one explicitly supplied.
#include "c_standards.h" static void static_532( void ); /******************************************************************* * Standard 532 S : No copy ctor for templated copy ctor. *******************************************************************/ class A { public: A ( ) { } // A ( A const & rhs ); // #1 - implicitly generated copy constructor template <typename T> A ( T const & rhs ) // #2 : i ( new SINT_32 ) { *i = *rhs.i; } private: SINT_32 * i; // Member requires deep copy }; /* not compliant */ static void static_532( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-5-2 |
This standard is not applicable to c and java.
There shall be an explicit copy assignment operator if a template assignment operator is present. Otherwise, a default copy assignment operator is generated by the compiler. The programmer may be surprised when the default constructor is called in preference to the one explicitly supplied.
#include "c_standards.h" static void static_533( void ); /******************************************************************* * Standard 533 S : No assgnmt optor for templated assgmnt op. *******************************************************************/ class A { public: // A & operator= ( A const & rhs ) #1 - implicitly generated // { // i = rhs.i; // return *this; // } template <typename T> T & operator= ( T const & rhs ) // #2 { if ( this != & rhs ) { delete i; i = new SINT_32; *i = *rhs.i; } return *this; } private: SINT_32 * i; }; // not compliant static void static_533( void ) { ; } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-5-3 |
This standard is not applicable to c and java.
... Awaiting Documentation ...
... Awaiting Example .... /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 5-2-12 |
This standard is not applicable to c and java.
Both operands of binary bitwise operators should have the same (underlying) type. This prevents confusion over how many bits are used.
#include "c_standards.h" static void static_535( void ); /******************************************************************* * Standard 535 S : Binary bitwise op with different types. *******************************************************************/ static void static_535( void ) { UINT_32 i535 = 7U; UINT_16 j535 = 9U; i535 ^= j535; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 5-0-20 |
This standard is not applicable to c and java.
Enumerated types shall not be used as a bit-field type as the C++ standard does not specify whether the underlying representation is signed or unsigned.
#include "c_standards.h" static void static_536( void ); /******************************************************************* * Standard 536 S : Enum type in bit field. *******************************************************************/ typedef enum { aa539, bb539 } type539; static void static_536( void ) { struct tag539 { type539 af539:4; /* not compliant */ }; } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 9-6-3 |
This standard is not applicable to c and java.
A loop control variable, which is is not a loop counter, shall not be modified in the test or increment expression of a for loop. This reduces the risk of a non-terminating loop.
#include "c_standards.h" static void static_537( void ); /******************************************************************* * Standard 537 S : Extra loop control variable changed. *******************************************************************/ static UINT_32 test ( UINT_32 *v ); static UINT_32 test ( UINT_32 *v ) { *v = *v + 1U; return ( *v < 10U ); } static void static_537( void ) { /***/ UINT_32 bool_a = FALSE; UINT_32 x; for ( x = 0U; ( x < 10U ) && test ( & bool_a ); /* not compliant */ ++x ) { ; } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 6-5-5 |
Class, function and member templates should always be instantiated. A missing instantiation may indicate a problem with the code.
#include "c_standards.h" static void static_538( void ); /******************************************************************* * Standard 538 S : Template class/function/member not instantiated. *******************************************************************/ template <typename T> class cl538{ void proc538 () { } }; /* not compliant */ static void static_538( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-7-1 |
This standard is not applicable to c.
Overloaded function templates shall not be explicitly specialised. The specializations occur after overload resolution and may be contrary to the developer's expectations.
#include "c_standards.h" static void static_539( void ); /******************************************************************* * Standard 539 S : Specialised overloaded templated function. *******************************************************************/ template <typename T> void proc(T p1){} // function 1 template <typename T> void proc(T *p1){} // function 2 // This is a specialisation of function 1, for T == SINT_32* template <> void proc <SINT_32> (SINT_32 p2){} /* not compliant */ static void static_539( SINT_32 *value ) { proc(value); // Calls function 2 } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-8-1 |
This standard is not applicable to c.
A cast from a pointer to void to a pointer shall not be performed. This may lead to unspecified behaviour.
#include "c_standards.h" static void static_540( void ); /******************************************************************* * Standard 540 S : Cast from pointer to void to pointer. *******************************************************************/ static void static_540( void ) { void * pv = 0; UINT_16 * pu; pu = reinterpret_cast <UINT_16 *> (pv); /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
An ellipsis (catch-all) handler shall occur after any other handlers. Otherwise, any handlers after the catch-all handler will never be executed.
// Note this may not always compile. #include "c_standards.h" static void static_541( void ); /******************************************************************* * Standard 541 S : Catch-all is not last catch. *******************************************************************/ static void static_541( void ) { try { } catch (...){ /* not compliant */ } catch(SINT_32 pp){ } } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-3-7 |
This standard is not applicable to c and java.
A loop control variable, which is not a loop counter, shall be of boolean type. This makes the code easy to understand as such variables are typically used to terminate a loop early.
SINT32 x = 0; SINT32 y = 0; for (x = 0; (x < 10) && (y != 21); x++, y++) /* not compliant */ {...} /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 6-5-6 |
A virtual base shall only be used as the common base class in a diamond hierarchy. This avoids potentially confusing behaviours.
#include "c_standards.h" static void static_543( void ); /******************************************************************* * Standard 543 S : Virtual base not in diamond hierarchy. *******************************************************************/ class base1 { virtual void proc(); }; class deriv1: virtual base1 { }; static void static_543( void ) { } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 10-1-2 |
This standard is not applicable to c and java.
A virtual function that is not pure shall not be overridden by a pure virtual function. This may not meet developer's expectations.
#include "c_standards.h" static void static_544( void ); /******************************************************************* * Standard 544 S : Member re-declared pure. *******************************************************************/ class base1 { virtual void proc()=0; }; class base2: base1 { virtual void proc() {} }; class base3: base2 { virtual void proc()=0; // not compliant }; static void static_544( void ) { } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 10-3-3 |
This standard is not applicable to c and java.
Assignment between objects that have overlapping storage is undefined and shall not be used.
#include "c_standards.h" static void static_545( void ); /******************************************************************* * Standard 545 S : Assignment of overlapping storage. *******************************************************************/ static void static_545( void ) { union { UINT_16 i; UINT_32 j; } a; a.j = 23U; a.i = a.j; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The function or operator chosen by the overload resolution shall resolve to a function/ operator declared before the template declaration. Otherwise, the behaviour may be contrary to the developer's expectations.
#include "c_standards.h" static void static_546( void ); /******************************************************************* * Standard 546 S : Overload resolution could be forward. *******************************************************************/ void func (SINT_32 pp){} template <typename T > void proc(T aa ) { func(aa); // not compliant } void func (UINT_32 pp){} static void static_546( void ) { } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-6-2 |
This standard is not applicable to c and java.
All names in the dependent base of a class template shall be qualified by using a "qualified-id"or "this->". Otherwise, the behaviour may be contrary to the developer's expectations.
#include "c_standards.h" static void static_547( void ); /******************************************************************* * Standard 547 S : Base member not qualified. *******************************************************************/ template <typename T> class base { protected: T abf; }; template <typename T> class deriv : public base <T> { void aproc() { abf = 77; /* not compliant */ base::abf = 79; /* compliant */ this-> abf = 0; /* compliant */ } }; static void static_547( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-6-1 |
This standard is not applicable to c and java.
The use of curly brackets, { }, around a procedure body is recommended for maintenance purposes.
#include "c_standards.h" static void static_548( void ); /******************************************************************* * Standard 548 S : Procedure body needs brackets. *******************************************************************/ SINT_32 glob=0; void duff_proc() try{}catch(...){}; /* not compliant */ static void static_548( void ) { duff_proc(); } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
ESA-BSSC | : | 12 |
This standard is not applicable to c.
Exception handlers in a constructor or destructor shall not reference nonstatic members from the same class or its bases. This leads to undefined behaviour.
#include "c_standards.h" static void static_549( void ); /******************************************************************* * Standard 549 S : Catch in c'tor/d'tor references nonstatic member *******************************************************************/ class aclass { public: aclass() { try{ } catch(...){ aff = 9; bff = 7; } /* not compliant */ } private: SINT_32 aff; SINT_32 bff; }; static void static_549( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-3-3 |
This standard is not applicable to c and java.
A U suffix shall be added to unsigned hexadecimal and octal literals. The type of hexadecimal and octal literals depends on the implemented integer size. The addition of the suffix clarifies the type to the reader.
#include "c_standards.h" /******************************************************************* * Standard 550 S : Unsuffixed hex or octal is unsigned, add U. *******************************************************************/ static void static_550( void ) { /***/ UINT_32 xx; xx = 0x8ff7 ; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
Down-casting an abstract base class to a derived class should be avoided. Such casting may cause unexpected behaviour if the code is later modified.
Note that MISRA-C++:2008 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA-C++:2008 programming model or by configuring the modifier 331 in the creport.dat file. (TBmisra license permitting). Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" static void static_551( void ); /******************************************************************* * Standard 551 S : Cast from base to derived for polymorphic type. *******************************************************************/ class base { public: virtual void proc()=0; }; class deriv: public base { virtual void proc(){}; }; static void static_551( base & b1 ) { deriv d1; deriv * pd1; base * pb = & b1; pd1 = reinterpret_cast <deriv *> (& b1); /* not compliant */ pd1 = dynamic_cast <deriv *> (& b1); /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 5-2-3 |
This standard is not applicable to c.
Tag names shall not be re-declared within the program, other than through the inclusion of a header file containing the definition, in multiple source files.
#include "c_standards.h" static void static_552( void ); /******************************************************************* * Standard 552 S : Class, enum, struct or union name reused. *******************************************************************/ void proc () { class bone {}; { int bone; /* not compliant */ } } static void static_552( ) { int bone; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 2-10-4 |
This standard is not applicable to c.
If a function is declared static, all re-declarations or definitions should include the static specifier. This clarifies the linkage of the function to the developer.
#include "c_standards.h" static void static_553( void ); /******************************************************************* * Standard 553 S : Function and proto should both be static. *******************************************************************/ void static_553( void ) /* not compliant */ { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
CERT-C | : | DCL15-C | ||
MISRA-AC | : | 8.11 | ||
MISRA-C++:2008 | : | 3-3-2 | ||
MISRA-C:2004 | : | 8.11 | ||
NETRINO | : | 1.8.a, 6.2.e | ||
SEC-C | : | M2.2.2, M2.2.3 |
This standard is not applicable to java.
... Awaiting Documentation ...
#include "c_standards.h" static void static_554( void ); /******************************************************************* * Standard 554 S : Cast to an unrelated type. *******************************************************************/ static void static_554( void ) { /***/ struct tag1 { UINT_16 u16; }; struct tag1 *st1; struct tag2 { UINT_32 u32; }; struct tag2 *st2; st2 = (struct tag2 *)(st1); /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
All visible base class members should be unique names. This removes the possibility of ambiguous names, which the compiler may fail to report.
#include "c_standards.h" static void static_555( void ); /******************************************************************* * Standard 555 S : Base class member name not unique. *******************************************************************/ class base { SINT_32 aff; }; class deriv : public base { SINT_32 aff; /* not compliant */ }; static void static_555( void ) { ; } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 10-2-1 |
This standard is not applicable to c.
An base class handler shall occur after any derived class handlers. Otherwise, any handlers after the base class handler will never be executed.
#include "c_standards.h" static void static_556( void ); /******************************************************************* * Standard 556 S : Wrong order of catches for derived class. *******************************************************************/ class base { }; class deriv : public base { }; static void static_556( void ) { try { } catch( base & p1) { /* not compliant */ } catch( deriv & p2 ){ } } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 15-3-6 |
This standard is not applicable to c.
A function call should not throw an exception.
#include "c_standards.h" static void static_557( void ); /******************************************************************* * Standard 557 S : Function call can generate throw exception. *******************************************************************/ void throwfunc() { throw; } static void static_557( void ) { throwfunc(); /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c.
A template should not contain features that may lead to an ill-formed program.
#include "c_standards.h" static void static_558( void ); /******************************************************************* * Standard 558 S : Template may lead to ill-formed program. *******************************************************************/ template <typename T> class duff { void func() { T at; at.xx = 77; /* not compliant */ } }; static void static_558( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 14-7-2 |
This standard is not applicable to c and java.
There shall be only one definition of each virtual member function on each path through the hieracrchy. This provides clarity of the code.
#include "c_standards.h" static void static_559( void ); /******************************************************************* * Standard 559 S : Virtual member defined more than once. *******************************************************************/ class one { virtual void func(){} }; class two : public one { virtual void func(); }; class three : public two { virtual void func(){} /* not compliant */ }; static void static_559( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 10-3-1 |
This standard is not applicable to c and java.
It is good practise to restrict the scope of a variable to the scope in which it is used. This reduces possibility that the identifier is used accidentally.
#include "c_standards.h" static void static_560( void ); /******************************************************************* * Standard 560 S : Scope of variable could be reduced. *******************************************************************/ static void static_560( void ) { /***/ UINT_16 us; { us = 78; /* not compliant */ } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
The dynamic type of an object shall not be used in its constructor or destructor. During the construction and destruction of an object, its type may be different to that of the completely constructed object. Therefore, the result may be contrary to the developer's expectations.
#include "c_standards.h" static void static_561( void ); /******************************************************************* * Standard 561 S : Use of dynamic type in c'tor/d'tor. *******************************************************************/ class one { virtual void func(); one() { typeid(one); /* not compliant */ } }; static void static_561( void ) { } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 12-1-1 |
This standard is not applicable to c and java.
Increment, decrement and assignment operators should not be used as macro parameters. Such use can lead to unspecified behaviour if the expanded expression depends on the order in which side effects take place.
#include "c_standards.h" static void static_562( void ); /******************************************************************* * Standard 562 S : Use of ++,-- or = in macro parameters. *******************************************************************/ #define MAC( x ) x + 10 static void static_562( void ) { INT_16 aa = 1; /***/ MAC ( aa++ ); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
... Awaiting Documentation ...
... Awaiting Example ... /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The scope of the reference is wider than the scope of the reference being assigned which can lead to undefined behaviour.
#include "c_standards.h" static SINT_32 & static_564( void ); /******************************************************************* * Standard 564 S : Reference assignment to wider scope. *******************************************************************/ SINT_32 aglob = 9; static SINT_32 & static_564( void ) { SINT_32 aloc = aglob; return aloc; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
The scope of the variable is wider than the scope of the address being assigned which can lead to undefined behaviour.
#include "c_standards.h" static void static_565( void ); /******************************************************************* * Standard 565 S : Assignment to wider scope. *******************************************************************/ struct tag { UCHAR ff; }; struct tag *uglob; static void static_565( void ) { static struct tag avar; uglob = & avar; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
Performing arithmetic on pointers that are not arrays is considered to be an unsafe activity since there is no guarantee that the result is a valid address.
#include "c_standards.h" static void static_567( UINT_32 * pp ); /******************************************************************* * Standard 567 S : Pointer arithmetic is not on array. *******************************************************************/ static void static_567( UINT_32 * pp ) { UINT_32 * xx; xx = pp +7; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The filename used in a #include should not be the same as a library name. Which file is included depends on the implementation.
Note that this standard is only enabled by configuring the modifier 344 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
/******************************************************************* * Standard 568 S : #include "filename" uses standard library name. *******************************************************************/ void static_568( void ) { /***/ /* not compliant when modifier 344 is set */ #include "stdlib.h" /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
Operators should not be class members. It is not possible to perform an implicit conversion on the left hand side of a binary operator when the operator is a class member.
#include "c_standards.h" static void static_569( void ); /******************************************************************* * Standard 569 S : Operator should be non class member. *******************************************************************/ class one { one(){} SINT_32 operator - ( const SINT_32 xx ){return 77;} /* not compliant */ }; static void static_569( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
HIC++ | : | 3.5.4 |
This standard is not applicable to c and java.
The static keyword should not be used when declaring objects in namespaces, as it is deprecated by the C++ standard.
#include "c_standards.h" static void static_570( void ); /******************************************************************* * Standard 570 S : Static object declared in namespace. *******************************************************************/ namespace namsp570 { static SINT_32 xx; /* not compliant */ } static void static_570( void ) { } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
HIC++ | : | 8.3.1 |
This standard is not applicable to c and java.
An identifier should not include both 'l'(ell) and 1(one) or 'O'(oh) and '0'(zero). The characters are similar and may confuse the reader.
#include "c_standards.h" static void static_571( void ); /******************************************************************* * Standard 571 S : Identifier with 'l' and 1, 'o' and zero. *******************************************************************/ static void static_571( void ) { SINT_32 Oday0 = 0; /* not compliant */ SINT_32 dlay1 = 0; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c.
There should be no side effects in assert expressions. This enables assertions to be disabled or removed in production code.
#include "c_standards.h" static void static_572( void ); /******************************************************************* * Standard 572 S : Side effect in assert. *******************************************************************/ static void static_572( void ) { /***/ UCHAR xx = 99; assert( xx = 91); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
A universal character name shall not be created by macro concatenation. This can lead to undefined behaviour.
#include "c_standards.h" static void static_573( void ); /******************************************************************* * Standard 573 S : Macro concatenation of uni char names. *******************************************************************/ static void static_573( void ) { /***/ ; /* not compliant */ #define makename(uc1, uc2, uc3, uc4) uc1##uc2##uc3##uc4 makename ( \U00010401, \U00010401, \U00010401, \U00010402 ) = 4; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The new operator shall not allocate space for an inconsistent type. This is illegal in C++, but not all compilers will produce an error.
#include "c_standards.h" /* Note that this example may fail to compile */ static void static_574( void ); /******************************************************************* * Standard 574 S : Operator new called with inconsistent type. *******************************************************************/ class one { }; class two { }; static void static_574( void ) { /***/ two * ptwo = new one(); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c.
Multiple declarations of an identifier shall not have both internal and external linkage, as this leads to undefined behaviour.
#include "c_standards.h" static void static_575( void ); /******************************************************************* * Standard 575 S : Linkage differs from previous declaration. *******************************************************************/ static INT_32 DCL36_i2 = 20; INT_32 DCL36_i2; /* not compliant */ static void static_575( void ) { /***/ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
A function pointer shall not be cast to a different function pointer type. An implicit cast is illegal in C, but not all compilers will produce an error. An explicit cast may lead to undefined behaviour.
#include "c_standards.h" static void static_576( void ); /******************************************************************* * Standard 576 S : Function pointer is of wrong type. *******************************************************************/ typedef void (*fptr1)(void); typedef UCHAR (*fptr2)(UCHAR uc); static void static_576( void ) { /***/ fptr1 afp; fptr2 bfp; afp = bfp; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The argument of sizeof is a pointer. Taking the size of a pointer to a type always returns the size of the pointer and not the size of the type. This can lead to unexpected behaviour if the developer mistakenly assumes that the size of the type is returned.
#include "c_standards.h" static void static_577( void ); /******************************************************************* * Standard 577 S : Sizeof argument is a pointer. *******************************************************************/ UCHAR * puc; static void static_577( void ) { UCHAR xx; /***/ xx = sizeof(puc) ; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
Sizeof is used in an arithmetic expression. This may indicate that the developer is calculating the size of a type in a way that may lead to an incorrect value.
#include "c_standards.h" static void static_578( void ); /******************************************************************* * Standard 578 S : Sizeof used in arithmetic expression. *******************************************************************/ UCHAR xx; static void static_578( void ) { /***/ xx = sizeof(xx) + 10U; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
CERT-C | : | EXP03-C |
This standard is not applicable to java.
Variable declarations shall not be combined with other declarators. Multiple declarators may lead to confusion regarding the type of an identifier.
#include "c_standards.h" static void static_579( void ); /******************************************************************* * Standard 579 S : More than one variable in declaration. *******************************************************************/ struct astr { UCHAR f1; SCHAR f2; } okstr1,notokstr2; /* not compliant */ struct astr okstruct1; struct astr okstruct2,notokstruct1; /* not compliant */ UCHAR global_ok1; UCHAR global_ok2,gobal_notok1; /* not compliant */ static void static_579( void ) { UINT_32 local_ok1; UINT_32 local_ok2, localnot_ok1; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
A macro shall not be redefined by another #define declaration unless a #undef is used. A redefinition is illegal in C unless the replacement lists are identical. However, not all compilers will produce an error.
#include "c_standards.h" #define WHAT static /* the next macro is not compliant */ #define WHAT volatile INT_16 xx = 9; #define OK static #undef OK #define OK static static void static_580( void ); /******************************************************************* * Standard 580 S : Macro redefinition without using #undef. *******************************************************************/ static void static_580( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of the logical or operator (||) in the terminating expression of a for loop may lead to unexpected behaviour. The logical and operator (&&) is preferred.
#include "c_standards.h" static void static_581( void ); /******************************************************************* * Standard 581 S : Loop conditions are independent. *******************************************************************/ INT_32 endcond ( void ) { return 1; } static void static_581( void ) { INT_32 ii = 0; INT_32 data[10]; INT_32 end = 0; for ( ii=0; ( ii < 10 ) || ( !end ) ; ii++ ) /* not compliant */ { data[ii] = ii; if ( endcond() != 0 ) { end = 1; } } } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
A const object shall not be reassigned. This is illegal in C and C++, but not all compilers will produce an error.
#include "c_standards.h" static void static_582( const UINT_16 * par1, const UINT_16 * const par2 ); /******************************************************************* * Standard 000 S : const object reassigned. *******************************************************************/ static void static_582( const UINT_16 * par1, const UINT_16 * const par2 ) { /***/ *par1 = 78U; /* not compliant, object is const */ *par2 = 79U; /* not compliant, object is const */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
A pointer comparison will only succeed if two pointers point to the same memory location. A pointer to a string literal is unlikely to refer to the address of the string literal.
#include "c_standards.h" static void static_583( void ); /******************************************************************* * Standard 583 S : Comparison of pointer and string literal. *******************************************************************/ static void static_583( void ) { CHAR * str; str = "def" ; if ( str == "def" ) /* not compliant */ { /***/ } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
CWE | : | 597 |
This standard is not applicable to java.
The sign of the result of the % operator depends on the compiler in the C90 version of C. The sign is defined in C99, but not all compilers will produce the expected answer.
#include "c_standards.h" static void static_584( void ); /******************************************************************* * Standard 584 S : Remainder of % op could be negative. *******************************************************************/ INT_16 ss = 0; static void static_584( void ) { INT_16 rem; /***/ rem = ss % 4; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
Mixing bitwise and arithmetic operations on the same data can reduce code readability.
#include "c_standards.h" #include "stdio.h" static void static_585( void ); /******************************************************************* * Standard 585 S : Bitwise and arith operations on same data. *******************************************************************/ typedef enum { shift = 2U, mask = 0x10U, part = 1U } constants; static void static_585( void ) { UINT_32 a = ( getchar () == EOF ) ? 50U : 100U; volatile UINT_32 r; /***/ r = a + ( a << shift ) + part; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c++.
The length modifier %j should be used on user-defined integer types.
This standard will only be enabled by configuring the modifier 350 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include <stdio.h> static void static_586( void ); /******************************************************************* * Standard 586 S : Format is not %j for user defined type. *******************************************************************/ static void static_586( void ) { /***/ typedef signed long long long s_t; s_t s; if ( scanf ( "%lld" , & s ) != 1 ) /* not compliant */ { (void) printf ( "*" ); } /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c++ and java.
A const local variable shall be immediately initialised, as a value cannot be assigned later.
#include "c_standards.h" static void static_587( void ); /******************************************************************* * Standard 587 S : Const local variable not immediately initialised. *******************************************************************/ static void static_587( void ) { /***/ const INT_32 loc; /* not compliant */ loc = 0; INT_32 rr = loc; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of system function may lead to a security vulnerability or unexpected behaviour unless the input string is validated.
#include "stdlib.h" static void static_588( void ); /******************************************************************* * Standard 588 S : Use of system function. *******************************************************************/ static void static_588( void ) { /***/ system(" wow" ); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The conversion format specifier does not match the argument used in the function call. This may lead to undefined behaviour.
#include <stdio.h> static void static_589( void ); /******************************************************************* * Standard 589 S : Format is not appropriate type. *******************************************************************/ static void static_589( void ) { /***/ int x = 7; float ff = 8.9F; unsigned u = 9U; char * ss = "oh my" ; (void) printf(" \n %d ", u); (void) printf(" \n %d ", ff); /* not compliant */ (void) printf(" \n %s ", x); /* not compliant */ (void) printf(" \n %d ", ss); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The mode string in the call of fopen is not one of the standard strings. This may lead to undefined behaviour.
#include <stdio.h> static void static_590( void ); /******************************************************************* * Standard 590 S : Mode fault in fopen. *******************************************************************/ static void static_590( void ) { /***/ fopen(" afile.h" , "wb+" ); /* ok */ fopen(" afile.h" , "c" ); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The use of a copy of a FILE object may lead to unexpected behaviour. The address of the FILE pointer may be significant.
#include <stdio.h> static void static_591( void ); /******************************************************************* * Standard 591 S : Inappropriate use of file pointer. *******************************************************************/ FILE file_f; FILE file_g; FILE * hptr; static void static_591( void ) { /***/ hptr = fopen(" afile.h" ," w" ); file_f = *hptr; file_g = file_f; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
remove and rename use a filename as an argument. This may lead to a security vulnerability or unexpected behaviour unless the input string is validated.
#include <stdio.h> static void static_592( void ); /******************************************************************* * Standard 592 S : Use of filename based functions. *******************************************************************/ static void static_592( void ) { /***/ (void) remove(" afile.h" ); /* not compliant */ (void) rename(" afile.h" , "bfile.h" ); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
The fseek function should be used instead of the rewind function, since fseek returns a value to indicate that the rewind has been successful.
#include <stdio.h> static void static_593( void ); /******************************************************************* * Standard 593 S : Use fseek() rather than rewind(). *******************************************************************/ static void static_593( void ) { FILE *fptr = fopen(" afile.h" ," r" ); /***/ rewind(fptr); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The setvbuf function should be used instead of the setbuf function, since setvbuf returns a value to indicate that the stream has been successfully altered.
#include <stdio.h> static void static_594( void ); /******************************************************************* * Standard 594 S : Use setvbuf() rather than setbuf(). *******************************************************************/ static void static_594( void ) { FILE *fptr = fopen(" afile.h" ," w" ); setbuf(fptr, NULL); /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
A base member has undergone a change of access. The behaviour may be contrary to the developer's expectations.
#include "c_standards.h" static void static_595( void ); /******************************************************************* * Standard 595 S : Base member with change of access. *******************************************************************/ class base_595 { public: SINT_32 basefield; }; class derived_595: private base_595 { public: base_595::basefield; /* not compliant */ }; static void static_595( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
The first word of the name of a namespace will begin with an uppercase letter. All other letters will be lowercase.
#include "c_standards.h" static void static_596( void ); /******************************************************************* * Standard 596 S : Namespace name starts with lower case letter. *******************************************************************/ namespace lowercase /* not compliant */ { SINT_32 nn = 0; } static void static_596( void ) { /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
JSF++ AV | : | 50 |
This standard is not applicable to c and java.
The placement version of the new operator has been used.
#include "c_standards.h" static void static_597( void ); /******************************************************************* * Standard 597 S : Use of placement new. *******************************************************************/ class CApple { public: CApple(SINT_32 iWorms = 0, FLOAT_32 fPrice = 1.0) : m_iWorms(iWorms) , m_fPrice(fPrice) { } public: SINT_32 m_iWorms; FLOAT_32 m_fPrice; }; inline void * operator new(unsigned int st, CApple * ca) { return ca; } static void static_597( void ) { /***/ CApple automaticApple (8,0.0); CApple * pApple4 = new(& automaticApple) CApple ; /* not compliant */ /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
The subscripting operator does not specify which operand is the pointer to the array and which is its index. This standard reports when the index is used as first operand.
#include "c_standards.h" /******************************************************************* * Standard 598 S : Alternative array indexing used. *******************************************************************/ UINT_32 static_598( const UINT_32 val ) { UINT_32 data[2]; 1U[data] = val; /* not compliant */ return 1U[data]; /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
A logical operator ( && or || ) has been detected within an initialisation of a non-boolean variable. It is likely that it has been confused with a bitwise operator, e.g. && instead of &.
#include "c_standards.h" /******************************************************************* * Standard 599 S : Use of && or || in initialisation. *******************************************************************/ #define a 77U #define b 32U UINT_32 arr[4]= { a | b, a || b, /* Not compliant */ a && b, /* Not compliant */ a & b }; /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
The argument of strlen shall be terminated by a null character. Otherwise, the behaviour of the program is undefined.
#include <string.h> #include "c_standards.h" /******************************************************************* * Standard 600 S : Argument of strlen is unterminated. *******************************************************************/ void static_600( void ) { SINT_32 xx; char arr [3] = { 'a', 'b', 'c' }; xx = strlen(arr); /* not compliant */ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
This standard is not applicable to java.
In a derived class, if not all of the overloaded virtual functions of the base class are overridden, then other functions will be hidden. Hidden member functions can make the code more difficult to understand and lead to unexpected results.
#include "c_standards.h" /******************************************************************* * Standard 601 S : Insuffient overriden members. *******************************************************************/ class Base { public: void f( char ){;} void f( int ){;} virtual void one (int &ll); virtual void one (char ll); }; class Derived: public Base { public: void f( int ){;} virtual void one (char ll); // not compliant }; void static_601 ( void ) { Derived d; Base& bref = d; bref.f('c'); // calls Base::f(char) bref.one('c'); // calls Derived::one(char) bref.one((int)c); // calls Base::one(int) } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
HIC++ | : | 3.3.5 |
This standard is not applicable to c and java.
The function strtok modifies its parse string, which is the first argument. Each time strtok is called the function parses the string up to the first instance of a character in the second argument. This character is then overwritten with the null character \0. This can lead to unexpected results.
#include "c_standards.h" #include <string.h> /******************************************************************* * Standard 602 S : strtok may change parse string. *******************************************************************/ void STATIC_602 ( void ) { char *token; char *path = "/usr/bin:/bin:/sbin"; token = strtok ( path, ":" ); /* not compliant */ while ( token = strtok ( 0, ":" ) ) { ... } /* path is now just "/usr/bin" */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Any pointer parameter, whose value is not intended to change, should be protected by the use of const. By making the use of the parameter explicit leads to greater precision in the definition of the function interface.
This standard does not apply to the parameters of main.
#include "c_standards.h" /******************************************************** * Standard 603 S : Parameter should be declared * const. ********************************************************/ SINT_32 global; void static_603 ( SINT_32 * ptr1, /* Not Compliant */ SINT_32 * ptr2 /* Compliant */ ) { *ptr1 = global; /* ptr1 not changed, only its data */ ptr2 = &global; /* ptr2 changed */ } /* * Copyright (c) 2011 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 7-1-1 |
This standard is not applicable to java.
The use of numeric literals, i.e. magic numbers, is generally accepted as undesirable due to the impact on maintainability. This standard checks for uses of literals in array declarations and array indexing. Symbolic names in the form of const variables, or enum constants, should be used instead.
This standard also extends to numeric literals substituted via macros. It is acknowledged that macros might have to be used - particularly with the C language, where the usage of const is more limited than C++. The standard can be relaxed to allow numeric literals substituted via macros by configuring the modifier 163 in the c/cppreport.dat file. Instructions for making alterations can be found in the report.dat file. By default, the standard is configured to allow numeric literals substituted via macros.
It is also recognised that 0 is commonly used in denoting a pointer to the start of an array and so may be excluded from the rule check. This may be done by configuring the modifier 217 in the c/cppreport.dat file.
#include "c_standards.h" /******************************************************************* * Standard 604 S : Use of numeric literal as array bound/subscript. *******************************************************************/ enum { LIMIT = 100 }; #define ARRAY_SIZE 100 void static_604( void ) { SINT_32 array_ok1[ARRAY_SIZE]; /* Compliant but can be prohibited with modifier 163 */ SINT_32 array_ok2[LIMIT]; SINT_32 array_nok[100]; /* Not Compliant */ SINT_32 *ptr = &array[0]; /* Not compliant but permitted with modifier 217*/ array_nok[99] = 3; /* Not Compliant */ } /* * * Copyright (c) 2011 Liverpool Data Research Associates * */
This is similar to n lines of code. It is used to limit the size (and hence complexity) of procedures. The *** symbols refer to a user definable number for this standard. The configuration is made in the <lang>pen.dat file.
#include "C_STANDARDS.H" BOOL isHexDigit( CHAR Hex ); /******************************************************** * Complexity Analysis 1 C : Cyclomatic Complexity greater than *** ********************************************************/ BOOL isHexDigit( CHAR Hex ) { BOOL bResult; bResult = FALSE; if ((Hex == '0') || (Hex == '1') || (Hex == '2') || (Hex == '3') || (Hex == '4') || (Hex == '5') || (Hex == '6') || (Hex == '7') || (Hex == '8') || (Hex == '9') || (Hex == 'A') || (Hex == 'a') || (Hex == 'B') || (Hex == 'b') || (Hex == 'C') || (Hex == 'c') || (Hex == 'D') || (Hex == 'd') || (Hex == 'E') || (Hex == 'e') || (Hex == 'F') || (Hex == 'f')) { bResult = TRUE; } return bResult; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
Reducibility in terms of interval analysis essentially means that the procedure is not a sequence of cleanly nested loops.
This means that the code is poorly structured and reordering the constructs might produce an improvement.
This follows from the structured programming templates supplied.
This is another type of infinite loop. It arises from a control flow loop that has no exit mechanism of any type, e.g.: l: goto l;
This involves the use of entry statements which is compiler dependent.
This standard is not applicable to java.
Structured programming usually requires procedures to be single entry single exit. Exits occur at the end of the procedure and at each return statement in functions.
#include <setjmp.h> #include "c_standards.h" void complexity(BOOL c_1, BOOL c_2, BOOL c_3, BOOL c_4 ); void test_complexity(void); /******************************************************** * Complexity Analysis 2 C : Procedure is not reducible in terms of intervals. * Complexity Analysis 3 C : Procedure contains essential knots. * Complexity Analysis 4 C : Procedure is not structured. * Complexity Analysis 5 C : Procedure contains infinite loop. ********************************************************/ void complexity(BOOL c_1, BOOL c_2, BOOL c_3, BOOL c_4 ) { if (c_1) { label1: if (c_3) { goto label2; } } if (c_2) { if (c_4) { goto label1; } label2: goto label2; } } /******************************************************** * Complexity Analysis 7 C : Procedure has more than one exit point. ********************************************************/ void test_complexity(void) { jmp_buf env; setjmp(env); complexity( FALSE, FALSE, FALSE, FALSE ); longjmp(env,1); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * These penalties are reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
DERA | : | 82 | ||
EADS-C | : | 111 | ||
HIC++ | : | 5.9 | ||
JSF++ AV | : | 113 | ||
LMTCP | : | 208, 356 | ||
MISRA-AC | : | 14.7 | ||
MISRA-C++:2008 | : | 6-6-5 | ||
MISRA-C:1998 | : | 82 | ||
MISRA-C:2004 | : | 14.7 | ||
NETRINO | : | 6.2.c | ||
SEC-C | : | M3.1.5 |
A spurious inspect annotation for a particular standard is present in the code. The line should be removed to avoid confusion and aid readability.
Whereas cyclomatic complexity, v(G), is a measure of decision logic, essential cyclomatic complexity, ev(G), is a measure of the quality of that logic. It is derived as the cyclomatic complexity after structured programming primitives have been removed from the control graph. The reduced graph then gives an indication of the unstructured-ness of the code.
1 <= ev(G) <= v(G)
An essential complexity of 1 reflects a perfectly structured control graph. The essential cyclomatic complexity shall not be greater than the value quoted in the violation text. Poor structure makes software harder to understand and also impedes testing.
Loop nesting is both error prone and makes code difficult to understand and maintain. Loop depth shall be no greater than the specified limit.
#include "C_STANDARDS.H" void foo( UINT_32 ee, UINT_32 ff, UINT_32 gg, UINT_32 hh); /******************************************************** * Complexity Analysis 10 C : Loop depth greater than *** ********************************************************/ void foo( UINT_32 ee, UINT_32 ff, UINT_32 gg, UINT_32 hh) { UINT_32 aa, bb, cc, dd; for (aa = 1U; aa < ee; aa++) { for (bb = aa; bb < ff; bb++) { for (cc = bb; cc < gg; cc++) { for (dd = cc; dd < hh; dd++) /* this takes loop depth to > 3 */ { /* something */ } } } } } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
A series of same depth loops within a procedure indicates a poorly structured program, which is likely to be inefficient as well as difficult to maintain and test. The number of depth 1 loops shall be no greater than the specified limit.
#include "C_STANDARDS.H" void foo( UINT_32 zz ); /******************************************************** * Complexity Analysis 11 C : More than *** depth 1 loops ********************************************************/ void foo( UINT_32 zz ) { UINT_32 aa, bb, cc, dd, ee, ff, gg, hh, ii, jj, kk; for (aa = 1U; aa < zz; aa++) { } for (bb = 1U; bb < zz; bb++) { } for (cc = 1U; cc < zz; cc++) { } for (dd = 1U; dd < zz; dd++) { } for (ee = 1U; ee < zz; ee++) { } for (ff = 1U; ff < zz; ff++) { } for (gg = 1U; gg < zz; gg++) { } for (hh = 1U; hh < zz; hh++) { } for (ii = 1U; ii < zz; ii++) { } for (jj = 1U; jj < zz; jj++) { } for (kk = 1U; kk < zz; kk++) /* this takes number of depth 1 loops to > 10 */ { } } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
A knot describes the incidence of one jump in the code crossing another. Hence the number of knots in a procedure is a measure of the disjointed-ness of the code and consequently its complexity. The specified complexity limit shall not be exceeded.
A knot describes the incidence of one jump in the code crossing another. The number of essential knots is a measure of the code complexity arising from unstructured constructs. It is derived as the number of knots remaining after structured programming primitives have been removed from the associated control graph. For a structured program the number of essential knots is 0. The specified complexity limit shall not be exceeded.
The procedure does not use the parameter in any way and the resultant computations will be unaffected if the parameter is removed.
#include "c_standards.h" UINT_32 SDA_001( UINT_32 p_1, UINT_32 p_2 ); /******************************************************** * Static Data Flow Analysis 1 D : Unused Procedure Parameter ********************************************************/ UINT_32 SDA_001( UINT_32 p_1, UINT_32 p_2 ) { UINT_32 v_1; v_1 = p_1; v_1++; return v_1; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
This arises from a function which either has no return statement at all, or has at least one path with no return statement, or has one or more return statements containing a null expression.
Also note that in paths where an exception is thrown there will be no return value.
typedef unsigned int Uint_32; Uint_32 SDA_002( Uint_32 par_1 ); // // Static Data Flow Analysis 2 D : Function does not return a value on all paths. // Uint_32 SDA_002( Uint_32 par_1 ) { if (par_1 > 10) { switch (par_1) { case 0: return (1); break; case 1: return (2); break; default: // path with no value returned break; } } else { if (par_1 > 20) { throw BoundException("Invalid param"); // path with no value returned } return (4); } } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
CWE | : | 758 | ||
DERA | : | 75 | ||
HIC++ | : | 5.10 | ||
HIS | : | 75 | ||
JSF++ AV | : | 114 | ||
MISRA-AC | : | 16.8 | ||
MISRA-C:1998 | : | 75 | ||
MISRA-C:2004 | : | 16.8 |
This is generated when a procedure which uses a global variable x also has x as a formal parameter.
#include "c_standards.h" void SDA_003( UINT_32 *par_1); void Test_003(void); UINT_32 globl = 1; /******************************************************** * Static Data Flow Analysis 3 D : Actual Parameter is also global to procedure ********************************************************/ void SDA_003( UINT_32 *par_1 ) { *par_1 = *par_1 + glob1; } void Test_003(void) { SDA_003(&globl); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
DERA | : | 148 |
Variables have not been used and hence can be removed.
This standard is superseded by 94 D which provides a more detailed report.
#include "c_standards.h" UINT_32 SDA_004( void ); /******************************************************** * Standard Data Flow Analysis 4 D : Variables declared but not used in code analysed. ********************************************************/ UINT_32 SDA_004( void ) { UINT_32 v_1, v_2; v_1 = 0; return v_1; }
At least one variable is used before it is given a value. This result is generated regardless of whether a compiler claims to initialise all or some of the variables.
This standard is superseded by 69 D which provides a more detailed report.
#include "c_standards.h" UINT_32 SDA_005 ( void) ; /******************************************************** * Static Data Flow Analysis 5 D : data flow anomalies found. ********************************************************/ UINT_32 SDA_005 ( void) { UINT_32 v_1 , v_2 ; v_1 = v_2 ; v_2 = v_1 ; return v_2 ; }
Recursion is often banned because of the fear of running out of store, but recursive calls can also cause loops when the programmers are unaware of the calling structure.
#include "c_standards.h" UINT_32 Test_006(void); UINT_32 SDA_006( UINT_32 par_a ); /******************************************************** * Static Data Flow Analysis 6 D : Recursion in Procedures calls found. ********************************************************/ UINT_32 SDA_006( UINT_32 par_a ) { UINT_32 result; UINT_32 value; if (par_a != 1 ) { value = par_a; value--; result = SDA_006( value ) * par_a; } else { result=1u; } return (result); } UINT_32 Test_006(void) { UINT_32 result; result = SDA_006( 20 ); return result; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations Yes File Header * Reformatted Code Yes File Header * Individual Quality Report Yes Global * */
CWE | : | 674 | ||
DERA | : | 70 | ||
EADS-C | : | 117 | ||
HIS | : | 70 | ||
JPL | : | 1 | ||
JSF++ AV | : | 119 | ||
LMTCP | : | 219 | ||
MISRA-AC | : | 16.2 | ||
MISRA-C++:2008 | : | 7-5-4 | ||
MISRA-C:1998 | : | 70 | ||
MISRA-C:2004 | : | 16.2 | ||
SEC-C | : | R3.4.1 |
DU anomalies are unnecessary and can always be removed with a consequent improvement in the readability and efficiency of the code.
This standard is superseded by 70 D which provides a more detailed report.
#include "c_standards.h" void SDA_007( void ); /******************************************************** * Static Data Flow Analysis 7 D : DU data flow anomalies found. ********************************************************/ void SDA_007( void ) { BOOL flag = FALSE; /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
A variable exists that has been Defined, and has been Redefined without being Referenced after the Definition. DD anomalies can arise from programming errors.
#include "c_standards.h" BOOL SDA_008( void ); /******************************************************** * Static Data Flow Analysis 8 D : DD data flow anomalies found. ********************************************************/ BOOL SDA_008( void ) { BOOL flag = FALSE; /* ... */ flag = TRUE; /* ... */ return flag; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
In this case a call to the procedure does not necessarily mean that an output variable is given a value. This can lead to serious errors.
#include "c_standards.h" void SDA_009(UINT_32 p_1, UINT_32* p_2 ); /******************************************************** * Static Data Flow Analysis 9 D : Defined parameter has possible clear path ********************************************************/ void SDA_009(UINT_32 p_1, UINT_32* p_2 ) { if (p_1 != 5) { *p_2 = p_1 + 6; } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
This standard is not applicable to java.
Some authorities believe that the use of global variables is bad programming practice. Certainly it is more difficult to reuse procedures that use such variables. Furthermore, the order of initialisation across translation units is unspecified, and so any module which contains the appropriate declaration may access a global variable defined elsewhere before it has received an initial value.
This standard will also be generated for procedures that indirectly access global variables through procedure calls. Checks on global function pointers are covered by 45 D.
#include "c_standards.h" UINT_32 globl = 1; /* Global variable. */ /******************************************************** * Static Data Flow Analysis 10 D : Globals used inside procedure ********************************************************/ void SDA_010( UINT_32 * par_1 ) { *par_1 = *par_1 + globl; /* Global variable accessed. */ } void foo(void) { UINT_32 foo_var = 42U; /* Local variable. */ SDA_010(&foo_var); /* Indirect access: called procedure accesses a global. */ } void bar(void) { foo(); /* * Indirect access: called procedure calls a procedure * which accesses a global. */ } /* * Copyright (c) 2007 Liverpool Data Research Associates * */
This arises if either a purely input variable is given a value or an input/output variable is not given a value.
#include "c_standards.h" void SDA_011( UINT_32 par_1, UINT_32 par_2 ); /******************************************************** * Standard 11 D : Parameters do not match expected actions ********************************************************/ void SDA_011( UINT_32 par_1, UINT_32 par_2 ) { if (par_2 != 1) { par_1 = 0; } else { par_1= 1; } /* ... */ }
This standard is not applicable to java.
This is similar to standard 9 D but in this case an input value is not used on all paths. Generally it is not dangerous.
#include "c_standards.h" UINT_32 SDA_012( UINT_32 par_1, UINT_32 par_2 ); /******************************************************** * Static Data Flow Analysis 12 D : Referenced parameter has possible clear path ********************************************************/ UINT_32 SDA_012( UINT_32 par_1, UINT_32 par_2 ) { UINT_32 var_1; var_1 = par_2; if (par_2 != 1) { var_1 = par_1; } /* ... */ return (var_1); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
This standard is not applicable to java.
This standard checks that if globals accessed in any procedures which are called match any parameters. E.g.:
#include "c_standards.h" void SDA_013( UINT_32 * pVar ); void foo( UINT_32 * globl ); void Test_013(void); UINT_32 globl = 1; /******************************************************** * Static Data Flow Analysis 13 D : Global used in procedure matches local parameter ********************************************************/ void foo( UINT_32 * globl ) { SDA_013( globl ); } void SDA_013( UINT_32 * pVar ) { *pVar = *pVar + globl; } void Test_013(void) { foo(&globl); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
C will allow you to assign to call by value parameters which could be an error.
#include "c_standards.h" void SDA_014( UINT_32 par_1, UINT_32 par_2 ); /******************************************************** * Standard 14 D : Attempt to change parameter passed by value ********************************************************/ void SDA_014( UINT_32 par_1, UINT_32 par_2 ) { if (par_2 != 1) { par_1 = 0; } else { par_1= 1; } /* ... */ }
This standard is not applicable to java.
Ensure that any procedural parameters left unused have not been done so in error. If a parameter is not required, for readability and easier understanding of the code it should be removed.
#include "c_standards.h" void SDA_015(void (*p_proc_pointer)(void ) ); /******************************************************** * Static Data Flow Analysis 15 D : Unused Procedural parameter ********************************************************/ void SDA_015(void (*p_proc_pointer)(void) ) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
If a procedure is called with two identical actual parameters then there is an equivalent between the corresponding formal parameters but the actual form of this equivalence is compiler dependent.
#include "c_standards.h" void Test_016( UINT_32 *par_1, UINT_32 *par_2 ); void SDA_016(void ); void Test_016( UINT_32 *par_1, UINT_32 *par_2 ) { if (par_1 == par_2) { /* ... */ } } /******************************************************** * Static Data Flow Analysis 16 D : Identical Actual Parameters in Call ********************************************************/ void SDA_016(void) { UINT_32 var=6; Test_016( &var , &var ); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
DERA | : | 153 |
The maximum sequence for distinction between identifiers is compiler and linker dependent. The user can specifier the maximum sequence in the cpen.dat file and this standard will warn if there are any which are identical up to this limit. The *** symbols refer to a user definable number for this standard. The configuration is made in the <lang>pen.dat file.
#include "c_standards.h" UINT_32 SDA_017(void ); /******************************************************** * Static Data Flow Analysis 17 D : Identifier exceeds *** sig chars * Does not compile under VC++ without /H ********************************************************/ UINT_32 SDA_017(void) { UINT_32 This_identifier_exceeds_thirty_one_characters_in_length; UINT_32 This_identifier_exceeds_thirty_one_characters_in_length_also; /* ... */ This_identifier_exceeds_thirty_one_characters_in_length = 1; This_identifier_exceeds_thirty_one_characters_in_length_also = 2; return (This_identifier_exceeds_thirty_one_characters_in_length); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | DCL32-C | ||
CWE | : | 758 | ||
DERA | : | 11 | ||
HIS | : | 11 | ||
JSF++ AV | : | 46 | ||
LMTCP | : | 69 | ||
MISRA-AC | : | 1.4, 5.1 | ||
MISRA-C:1998 | : | 11 | ||
MISRA-C:2004 | : | 1.4, 5.1 |
This is reported when names are duplicated across file boundaries.
#include "c_standards.h" UINT_32 Re_Used; UINT_32 SDA_018( void ); /******************************************************** * Static Data Flow Analysis 18 D : Identifier name reused * Does not compile with VC++ ********************************************************/ UINT_32 SDA_018( void ) { UINT_32 Re_Used; Re_Used = 1; return Re_Used; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-J | : | SCP02-J | ||
DERA | : | 12, 21 | ||
HIS | : | 21 | ||
MISRA-AC | : | 5.2, 5.5 | ||
MISRA-C:1998 | : | 12, 21 | ||
MISRA-C:2004 | : | 5.2, 5.5 | ||
SEC-C | : | M1.7.1 |
Some compilers use default values if a use is found before a declaration or definition.
#include "c_standards.h" UINT_16 SDA_019(void ); /******************************************************** * Static Data Flow Analysis 19 D : Procedure called before being defined ********************************************************/ UINT_16 SDA_019(void) { UINT_16 retval; retval = Test_19d(); return (retval); } UINT_32 Test_19d( void ) { /* ... */ return (1u); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
Some compilers will assume a default type if a variable is used before a declaration is found.
#include "c_standards.h" UINT_32 SDA_020(void ); /******************************************************** * Static Data Flow Analysis 20 D : No declaration for variable found before use * Does not compile with VC++ ********************************************************/ UINT_32 SDA_020(void) { UINT_32 retval; retval = undeclared; return (retval); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
A function has global side effects if it can return a value through its global variables as well as by means of its parameters (possibly) and its return type. The safest form is one which only returns a value through the return type.
#include "c_standards.h" UINT_32 global=0; UINT_32 SDA_022( void ); /******************************************************** * Static Data Flow Analysis 22 D : Function has global variable side effects ********************************************************/ UINT_32 SDA_022(void) { /* ... */ global++; /* ... */ return (global); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
LMTCP | : | 286 |
A function has parameter side effects if it can return a value through its parameters as well as by means of its globals (possibly) and its return type. The safest form is one which only returns a value through the return type.
#include "c_standards.h" UINT_32 SDA_023( UINT_32 * par_1 ); /******************************************************** * Static Data Flow Analysis 23 D : Function has parameter side effects ********************************************************/ UINT_32 SDA_023( UINT_32 * par_1 ) { /* ... */ *par_1 = 1; /* ... */ return (*par_1); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
CERT-J | : | MET05-J |
In general providing prototypes is considered to be good practice and is essential if the uses precede the definition.
#include "c_standards.h" /******************************************************** * Static Data Flow Analysis 24 D : Procedure definition has no associated prototype ********************************************************/ void SDA_024( UINT_32 * par_1 ) { *par_1 = 1; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
CERT-C | : | DCL31-C | ||
DERA | : | 71 | ||
EADS-C | : | 107, 118 | ||
HIS | : | 71 | ||
LMTCP | : | 230 | ||
MISRA-AC | : | 8.1 | ||
MISRA-C:1998 | : | 71 | ||
MISRA-C:2004 | : | 8.1 | ||
NETRINO | : | 6.2.d | ||
SEC-C | : | M4.4.3 |
This standard is not applicable to java.
Variables should always be declared in the smallest scope consistent with their use. This standard reports the names of variables which could be moved to an inner scope. It does not take account of possible uses of a global variable in other files in a system.
#include "c_standards.h" void SDA_025( UINT_32 * par_1 ); UINT_32 g_var_1 = 1; /******************************************************** * Static Data Flow Analysis 25 D : Scope of variable could be reduced ********************************************************/ void SDA_025( UINT_32 * par_1 ) { *par_1 = g_var_1; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations Yes File Header * Reformatted Code Yes File Header * Individual Quality Report Yes * */
CERT-J | : | SCP00-J | ||
DERA | : | 22 | ||
HIC++ | : | 8.4.4 | ||
HIS | : | 22 | ||
JPL | : | 6 | ||
LMTCP | : | 249 | ||
MISRA-AC | : | 8.7 | ||
MISRA-C++:2008 | : | 3-4-1 | ||
MISRA-C:1998 | : | 22 | ||
MISRA-C:2004 | : | 8.7 | ||
NETRINO | : | 7.2.b | ||
SEC-C | : | M2.2.1 |
This standard reports variables that have more than one definition, either within a file, or across a set of files. Note for that C++, const variable declarations are excluded from this check.
#include "c_standards.h" /******************************************************** * Static Data Flow Analysis 26 D : Variable should be defined once in only 1 file ********************************************************/ UINT_32 SDA_026; SINT_32 SDA_026; void dummy(void); void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations Yes File Header * Reformatted Code Yes File Header * Individual Quality Report Yes Global * */
DERA | : | 25 | ||
HIS | : | 25 | ||
JSF++ AV | : | 139 | ||
LMTCP | : | 253 | ||
MISRA-AC | : | 8.8 | ||
MISRA-C++:2008 | : | 3-2-2, 3-2-4 | ||
MISRA-C:1998 | : | 25 | ||
MISRA-C:2004 | : | 8.8 |
This variable is of file scope and hence should be declared with the static qualifier.
#include "c_standards.h" void dummy( void ); SINT_32 SDA_027( void ); SINT_32 file_global = 1; SINT_32 SDA_027( void ) { return -file_global; } /******************************************************** * Static Data Flow Analysis 27 D : Variable should be declared static ********************************************************/ SINT_32 main( void ) { SINT_32 x; x = SDA_027(); dummy(); return x; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes File Footer * Source Code & Violations Yes File Footer * Reformatted Code Yes File Footer * Individual Quality Report Yes Global * * Notes: 'ONLY REPORTED IN 1 FILE - ALSO IN SYSTEM QUALITY REPORT AS GLOBAL' */ Example file 2: #include "c_standards.h" void dummy( void ); void dummy( void ) { /* ... */ }
CERT-C | : | DCL15-C | ||
CWE | : | 736 | ||
DERA | : | 23 | ||
EADS-C | : | 97 | ||
HIS | : | 23 | ||
LMTCP | : | 250, 251 | ||
MISRA-AC | : | 8.10, 8.11 | ||
MISRA-C++:2008 | : | 3-3-1 | ||
MISRA-C:1998 | : | 23 | ||
MISRA-C:2004 | : | 8.10, 8.11 | ||
NETRINO | : | 1.8.a | ||
SEC-C | : | M2.2.2, M2.2.3 |
The value required to exit a looping sequence is not assigned in every path through the sequence.
#include "c_standards.h" void SDA_028( void ); /******************************************************** * Static Data Flow Analysis 28 D : Potentially Infinite loop found ********************************************************/ void SDA_028( void ) { UINT_32 i=1; BOOL flag = TRUE; while (flag) { /* ... */ if (i==0) { flag=FALSE; } /* ... */ } } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
A structure has been used as a parameter to a procedure call, but some parts of it have not been used.
#include "c_standards.h" struct s29 { UINT_32 u1; UINT_32 u2; UINT_32 u3; }; UINT_32 SDA_029( struct s29 s ); UINT_32 Test_029( void ); /******************************************************** * Static Data Flow Analysis 29 D : partially used structured procedure parameter ********************************************************/ UINT_32 SDA_029( struct s29 s ) { UINT_32 result; result = s.u1 + s.u2; return (result); } UINT_32 Test_029( void ) { UINT_32 a; struct s29 s; s.u1=1; s.u2=2; s.u3=3; a=SDA_029( s ); return (a); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
This standard is not applicable to java.
A mismatch between formal and actual procedural parameters is not permitted by the C/C++ languages.
The structures defined for a procedure parameter differs from that in the called procedure
#include "c_standards.h" UINT_32 SDA_031( struct s31a s ); UINT_32 Test_031( void ); struct s31a { UINT_32 u1; UINT_32 u2; }; struct s31b { UINT_32 f1; UINT_32 f2; UINT_32 f3; }; /******************************************************** * Static Data Flow Analysis 31 D : Parameter Structure mismatch * Does not Compile with VC++ ********************************************************/ UINT_32 SDA_031( struct s31a s ) { UINT_32 result; result = s.u1 + s.u2; return (result); } UINT_32 Test_031( void ) { struct s31b s2; UINT_32 a; a=0; s2.f1=1; s2.f2=2; s2.f3=3; a=SDA_031( s2 ); return (a); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
This standard is not applicable to java.
Parameter definition omitted in a formal definition (e.g. may have specified only a type).
This standard is not applicable to java.
A variable has been declared 'external' in each of the program components. There is no real declaration.
#include "c_standards.h" extern UINT_32 SDA_033=1; extern UINT_32 test_033_2( void ); UINT_32 test_033_1(void); /******************************************************** * Static Data Flow Analysis 33 D : No real declaration for external variable ********************************************************/ UINT_32 test_033_1( void ) { UINT_32 a; a = test_033_2( ); return a; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations Yes File Header * Reformatted Code Yes File Header * Individual Quality Report Yes Global * */ Example file 2: #include "c_standards.h" extern UINT_32 SDA_033; UINT_32 test_033_2(void); UINT_32 test_033_2(void) { SDA_033++; return SDA_033; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
DERA | : | 25 | ||
HIS | : | 25 | ||
MISRA-AC | : | 8.9 | ||
MISRA-C++:2008 | : | 3-2-4 | ||
MISRA-C:1998 | : | 25 | ||
MISRA-C:2004 | : | 8.9 | ||
SEC-C | : | M4.4.3, M4.4.4 |
This standard is not applicable to java.
Two C files can contain procedures with the same name, leading to confusion and errors.
#include "c_standards.h" static UINT_32 SDA_034( UINT_32 a1 ); UINT_32 test_034(void); /******************************************************** * Static Data Flow Analysis 34 D : Procedure name re-used in different files ********************************************************/ UINT_32 SDA_034( UINT_32 a1 ) { UINT_32 b=a1; b--; return b; } UINT_32 test_034(void) { UINT_32 a=1; a = SDA_034( a ); return a; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes Global * * Notes: 'ONLY REPORTED IN 1 FILE - ALSO IN SYSTEM QUALITY REPORT AS GLOBAL' */ Example file 2: #include "c_standards.h" /******************************************************** * Static Data Flow Analysis 34 D : Procedure name re-used in different files. ********************************************************/ SINT_32 SDA_034( SINT_32 a1 ); SINT_32 SDA_034( SINT_32 a1 ) { SINT_32 b=a1; b--; return b; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes * Source Code & Violations Yes * Reformatted Code Yes * Individual Quality Report Yes * */
DERA | : | 25 | ||
HIS | : | 25 | ||
MISRA-AC | : | 8.9 | ||
MISRA-C++:2008 | : | 3-2-2 | ||
MISRA-C:1998 | : | 25 | ||
MISRA-C:2004 | : | 8.9 | ||
SEC-C | : | M4.4.3, M4.4.4 |
This can occur with operators such as ++ used in expressions. For example: x = A[j] + j++; is potentially ambiguous depending on the order of evaluation of the right hand side.
#include "c_standards.h" UINT_32 SDA_035( UINT_32 par_1 ); /******************************************************** * Static Data Flow Analysis 35 D : Expression has side effects ********************************************************/ UINT_32 SDA_035( UINT_32 par_1 ) { UINT_32 result; UINT_32 var_1=par_1; result = var_1++ + var_1; return (result); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | EXP02-C, EXP10-C, EXP30-C | ||
CWE | : | 737, 758, 768 | ||
DERA | : | 46 | ||
HIC++ | : | 10.3 | ||
HIS | : | 46 | ||
JSF++ AV | : | 157, 204 | ||
LMTCP | : | 286, 362 | ||
MISRA-AC | : | 12.2, 12.4, 12.13 | ||
MISRA-C++:2008 | : | 5-0-1 | ||
MISRA-C:1998 | : | 46 | ||
MISRA-C:2004 | : | 12.2, 12.4, 12.13 | ||
SEC-C | : | M1.8.1, M3.2.1, R3.6.1 |
This standard is not applicable to java.
This penalty is flagged if the names of parameters mentioned in a procedure prototype definition do not match the names in the real definition.
#include "c_standards.h" UINT_32 SDA_036( UINT_32 var_1 ); /******************************************************** * Static Data Flow Analysis 36 D : Prototype and Definition name mismatch. ********************************************************/ UINT_32 SDA_036( UINT_32 par_1 ) { UINT_32 result; UINT_32 var_1=par_1; result = var_1; return (result); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Header * Source Code & Violations Yes Procedure Header * Reformatted Code Yes Procedure Header * Individual Quality Report Yes * */
DERA | : | 74 | ||
HIC++ | : | 11.3 | ||
HIS | : | 74 | ||
LMTCP | : | 233 | ||
MISRA-AC | : | 16.4 | ||
MISRA-C++:2008 | : | 8-4-2 | ||
MISRA-C:1998 | : | 74 | ||
MISRA-C:2004 | : | 16.4 | ||
SEC-C | : | M4.5.1 |
This standard is not applicable to java.
A function has persistent local side effects if it can return a value through its persistent local variables as well as by means of its parameters (possibly) and its return type. The safest form is one which only returns a value through the return type.
#include "c_standards.h" UINT_32 SDA_037( void ); /******************************************************** * Static Data Flow Analysis 37 D : Function has persistent local side effects ********************************************************/ UINT_32 SDA_037(void) { static UINT_32 var_1; /* ... */ var_1++; /* ... */ return (var_1); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
Loop iteration shall be controlled by a single variable only. More than one control variable should never be required and only serves to confuse and increase the potential for undesired behaviour, such as an infinite loop.
#include "C_STANDARDS.H" void SDA_038( UCHAR *pArray, UINT_32 ArraySize); /******************************************************** * Static Data Flow Analysis 38 D : More than one control variable for loop ********************************************************/ void SDA_038( UCHAR *pArray, UINT_32 ArraySize) { UCHAR element; UINT_32 stepup=0,stepdn; stepdn = ArraySize; stepdn--; while( stepdn > stepup ) { element = pArray[ stepdn ]; pArray[ stepdn ] = pArray[ stepup ]; pArray[ stepup ] = element; stepup++; stepdn--; } /* end of while */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
Ensure that a loop has a single entry point, in order to simplify the control graph for the statement and reduce overall complexity.
typedef unsigned int Uint_32; void SDA_039( void ); /***************************************************************** * Static Data Flow Analysis 39 D : More than one entry to a loop *****************************************************************/ void SDA_039( void ) { Uint_32 it; for (it = 0; it < 42U; it++) { /* ... */ lb1: /* ... */ it++; lb2: /* ... */ it++; if (it == 7U) { goto lb1; /*** re-entry ***/ } else { if (it == 9U) { goto lb2; /*** re-entry ***/ } else { /* do something */ } } } } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
Ensure that a loop has a single exit point, in order to simplify the control graph for the statement and reduce overall complexity.
#include "C_STANDARDS.H" typedef unsigned int Uint_32; void SDA_040( void ); /****************************************************************** * Static Data Flow Analysis 40 D : More than one exit from a loop ******************************************************************/ void SDA_040( void ) { Uint_32 it; for (it = 0; it < 42U; it++) { /* ... */ if (it == 9U) { break; /*** provides an additional exit from loop ***/ } else { /* do something */ } } } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
Procedures shall always have a prototype visible at the point at which they are called. It is good practice to always declare a prototype and essential where a call is not preceded by a definition of the procedure, as the compiler may make assumptions about the types.
typedef unsigned int Uint_32; void SDA_041( Uint_32 param ); /**************************************************************************** * Static Data Flow Analysis 41 D : Procedure call has no prototype declared ****************************************************************************/ void SDA_041( Uint_32 param ) { /* ... */ Uint_32 result = foo( param ); /* ... */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A function shall not return a pointer to a non-static local object. Following return of control to the calling function the local object will have gone out of scope and no longer exist.
typedef signed int Sint_32; void SDA_042( void ); Sint_32 * foo( void ); /***************************************************************************** * Static Data Flow Analysis 42 D : Local pointer returned in function result *****************************************************************************/ Sint_32 * foo( void ) { Sint_32 local_var = 22; /* ... */ return &local_var; } void SDA_042( void ) { /* ... */ Sint_32 * result = foo(); /* ... */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
CAST | : | 5.16.5 | ||
CERT-C | : | DCL30-C | ||
CWE | : | 562, 758 | ||
DERA | : | 106 | ||
HIC++ | : | 11.7 | ||
HIS | : | 106 | ||
JSF++ AV | : | 111, 112 | ||
LMTCP | : | 206 | ||
MISRA-AC | : | 17.6 | ||
MISRA-C++:2008 | : | 7-5-1 | ||
MISRA-C:1998 | : | 106 | ||
MISRA-C:2004 | : | 17.6 |
This standard is not applicable to java.
Measures shall be taken to prevent run-time failures caused by divide by zero operations. Either a conditional test or an assertion should be used on the right hand operand being non-zero.
typedef signed int SINT_32; void SDA_043( SINT_32 p_denominator ); /******************************************************** * Static Data Flow Analysis 43 D : Divide by 0 found ********************************************************/ void SDA_043( SINT_32 p_denominator ) { SINT_32 local_denominator = 0; SINT_32 numerator = 9; SINT_32 result = numerator / local_denominator; /* divide by zero! */ /* ... */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | INT32-C, INT33-C | ||
CWE | : | 129, 190, 369, 680, 758 | ||
EADS-C | : | 103 | ||
HIC++ | : | 10.17 | ||
LMTCP | : | 311 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C++:2008 | : | 0-3-1 | ||
MISRA-C:2004 | : | 21.1 |
A pointer shall not be used without a prior check for NULL status. De-referencing a NULL pointer constitutes undefined behaviour.
#include "c_standards.h" void SDA_045( UINT_32 * par_1 ); /*************************************************************************** * Static Data Flow Analysis 45 D : Pointer not checked for null before use ***************************************************************************/ void SDA_045( UINT_32 * par_1 ) { UINT_32 * lvar_1 = (UINT_32 *)malloc(sizeof(lvar_1)); *lvar_1 = *par_1; } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | EXP08-C, EXP34-C | ||
CMSE | : | 4.1.4 | ||
CWE | : | 468, 476, 690, 758 | ||
EADS-C | : | 122 | ||
GJB | : | 5.1.15 | ||
HIS | : | 107 | ||
JSF++ AV | : | 174 | ||
LMTCP | : | 317 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C:1998 | : | 107 | ||
MISRA-C:2004 | : | 21.1 |
This standard is not applicable to java.
Member functions should be declared const by default and only non-const if there is a clear explicit reason for doing so. Declaring a member function const ensures that objects are not modified incorrectly.
This standard works by detecting modification to member variables, including via calls to other functions. If called member functions are not visible to the analysis (for example, they may be in a base class implementation), it is assumed that they do not modify member variables. The standard may therefore be flagged in situations where making the member function const will cause a compilation error because a non-const member function is called. In these situations the user should determine whether the called function can also be made const. If not, the standard violation may be ignored.
typedef unsigned int Uint_32; // // Static Data Flow Analysis 46 D : Member function should be declared const. // A/Ref: // class Person { public: Person(); explicit Person(const Uint_32 personNum); Person & operator=(const Person &person ); explicit Person(const Person &person ); ~Person(); Uint_32 get_p_num(void); protected: private: Uint_32 personalNumber; }; Uint_32 Person::get_p_num(void) { return personalNumber; } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
A spurious inspect annotation for a particular standard is present in the code. The line should be removed to avoid confusion and aid readability.
#include "c_standards.h" void SDA_047( UINT_32 * par_1 ); /************************************************************* * Static Data Flow Analysis 47 D : Unused inspect annotation *************************************************************/ /*LDRA_INSPECTED 46 D*/ /* Standard 45 D is actually violated below, and not 46 D*/ void SDA_047( UINT_32 * par_1 ) { UINT_32 * lvar_1 = (UINT_32)malloc(sizeof(lvar_1)); *lvar_1 = *par_1; } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Any attempt to write to a file must be preceded by a successful open of that file. The return value from the open function should be checked for non-NULL. Invalid access to files will likely result in program termination.
#include "c_standards.h" #include <stdio.h> #include <stdlib.h> void SDA_048( void ); /********************************************************************* * Static Data Flow Analysis 48 D : Attempt to write to unopened file *********************************************************************/ void SDA_048( void ) { FILE *inp, *outp; SINT_32 ch; inp = fopen("infile.txt", "r"); /* ... code to open output file omitted ... */ do { ch = getc(inp); if (ch == (SINT_32)EOF) { /* do nothing */ } else { putc( ch, outp ); ch = getc(inp); } } while (ch != (SINT_32)EOF ); fclose(inp); fclose(outp); } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
CWE | : | 399 |
A file pointer shall be disassociated from the file once access to the file is no longer required. Failure to close a file may result in subsequent access being invalid, and is likely to cause memory leaks.
#include "c_standards.h" #include <stdio.h> #include <stdlib.h> void SDA_049( void ); /********************************************************************* * Static Data Flow Analysis 49 D : File pointer not closed on exit *********************************************************************/ void SDA_049( void ) { FILE *inp, *outp; SINT_32 ch; inp = fopen("infile.txt", "r"); outp = fopen("outfile.txt", "w"); do { ch = getc(inp); if (ch == (SINT_32)EOF) { /* do nothing */ } else { putc( ch, outp ); ch = getc(inp); } } while (ch != (SINT_32)EOF ); fclose(inp); /* ... code to close output file omitted ... */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
Dynamically allocated memory shall be freed before the last pointer variable that references it is reset to NULL or assigned a new memory address. A memory leak occurs when a block of allocated memory is no longer accessible and unnecessarily consumes system resources.
#include "c_standards.h" void SDA_050( UINT_32 * par_1 ); /**************************************************** * Static Data Flow Analysis 50 D : Memory not freed ****************************************************/ void SDA_050( UINT_32 * par_1 ) { UINT_32 * lvar_1 = (UINT_32 *)malloc(sizeof(lvar_1)); if (lvar_1 != (UINT_32 *)0) { *lvar_1 = *par_1; } lvar_1 = pvar_1; /* memory not freed before pointer assigned a new address */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
Dynamically allocated memory that has been freed is no longer accessible even if it has pointers which reference it. A block of memory shall not be freed whilst two or more pointer variables reference it.
#include "c_standards.h" void SDA_051( UINT_32 * par_1 ); /********************************************************************* * Static Data Flow Analysis 51 D : Attempt to read from freed memory *********************************************************************/ void SDA_051( UINT_32 * par_1 ) { UINT_32 * lvar_1 = (UINT_32 *)malloc(sizeof(lvar_1)); UINT_32 * lvar_2; if (lvar_1 != (UINT_32 *)0) { *lvar_1 = *par_1; /* ... */ free(lvar_1); /* ... */ *lvar_2 = *lvar_1; } } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
CERT-C | : | MEM30-C | ||
CMSE | : | 6.1.24 | ||
CWE | : | 416, 758 | ||
EADS-C | : | 126 | ||
GJB | : | 5.1.16 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C:2004 | : | 21.1 |
This standard is not applicable to java.
A copy assignment operator shall assign all data members, including those in base classes, which affect the class invariant.
This standard can be further restricted to perform a deeper, more accurate analysis by configuring the modifier 262 in the cppreport.dat file. Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" // // Static Data Flow Analysis 52 D : Member(s) not assigned in = operator. // class SDA_052_base { public: SDA_052_base(); ~SDA_052_base(); explicit SDA_052_base(const SDA_052_base &base ); explicit SDA_052_base(const SINT_32 x1) : base_member (x1) { } SDA_052_base& operator=(const SDA_052_base& rhs) { if (this != &rhs ) { base_member = rhs.base_member; } return *this; } private: SINT_32 base_member; }; class SDA_052_derived_1 : public SDA_052_base { public: SDA_052_derived_1(); ~SDA_052_derived_1(); explicit SDA_052_derived_1(const SDA_052_derived_1 &der1 ); SDA_052_derived_1 (const SINT_32 x1, const SINT_32 y1, const SINT_32 z1) : SDA_052_base (x1), derived_member_1 (y1), derived_member_2 (z1) { } SDA_052_derived_1 & operator=(const SDA_052_derived_1& rhs) { if (this != &rhs ) { // Does not copy base members derived_member_1 = rhs.derived_member_1; derived_member_2 = rhs.derived_member_2; } return *this; } private: SINT_32 derived_member_1; SINT_32 derived_member_2; }; // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c and java.
Before a pointer may be used, such that the contents of the memory address pointed to are accessed, it shall already be initialised.
template < class T > struct list_node { list_node(); // ... list_node * prev; list_node * next; T value; }; // // Static Data Flow Analysis 53 D : Attempt to use uninitialised pointer. // A/Ref: // void merge(list_node * t1, list_node * t2) { // ... list_node * t3 = t1->next; // ... } void foo(void) { list_node * t1, * t2; merge(t1, t2); // t1 is uninitialised, but is subsequently de-referenced // ... } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to java.
Constructs that involve the unsafe use of a function pointer variable, for a purpose other than as a handle to a function, shall not be permitted. For instance, a function pointer should not be used as an actual parameter for the function to which it points to.
typedef struct struct_fn_t { void (* s_fn)(struct struct_fn_t * s_fn_ptr); } struct_fn; /***************************************************************************** * Static Data Flow Analysis 54 D : Unsafe use of function pointer variable. *****************************************************************************/ void sda_054 ( void ) { struct_fn s_fn_ptrs[10]; struct_fn * sda_054_p = &s_fn_ptrs[0]; /* ----- */ sda_054_p->s_fn (sda_054_p++); /* Not compliant */ /* ----- */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
This standard is not applicable to java.
A loop counter used within a for loop for iteration shall not be modified in the body of the loop. Modification of the loop counter makes code difficult to read and maintain.
#include "c_standards.h" void SDA_055( UINT_32 * par_1 ); /***************************************************************************** * Static Data Flow Analysis 55 D : Modification of loop counter in loop body *****************************************************************************/ void SDA_055( UINT_32 max_count ) { UINT_32 loop_counter = 0; for (loop_counter = 0; loop_counter < max_count; loop_counter++) { if (loop_counter == 7) { loop_counter++; } else { // do nothing } } } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
DERA | : | 67 | ||
EADS-C | : | 130 | ||
HIC++ | : | 5.5, 5.6 | ||
HIS | : | 67 | ||
JSF++ AV | : | 201 | ||
LMTCP | : | 354 | ||
MISRA-AC | : | 13.6 | ||
MISRA-C++:2008 | : | 6-5-3 | ||
MISRA-C:1998 | : | 67 | ||
MISRA-C:2004 | : | 13.6 | ||
SEC-C | : | M3.3.2 |
All exceptions signalled by a throw-expression shall be handled by an appropriate catch-block for the type of object passed from the throw-point. Failure to handle an exception reduces fault-tolerance, and may result in program termination.
typedef signed int Sint_32; typedef enum BOOL { FALSE = 0, TRUE = 1 } BOOL; void sub(BOOL p_bool); void root(void); // // Static Data Flow Analysis 56 D : Throw found with no catch in scope. // A/Ref: // void sub(BOOL p_bool) { try { if (p_bool == TRUE) { // do something } else { throw 42.0F; // No catch for this exception in scope!!! } } catch (Sint_32 & e) { // ... } } void root(void) { sub(FALSE); } // // // Copyright (c) 2006 Liverpool Data Research Associates // //
This standard is not applicable to c.
All variables shall be initialised before use. Global variables, in particular, should be initialised at declaration to ensure there can be no access prior to an assignment.
This standard does not apply to variables that are initialised by constructors.
#include "c_standards.h" void SDA_057( SINT_32 p_var ); const SINT_32 g_var; /************************************************************************* * Static Data Flow Analysis 57 D : Global not initialised at declaration *************************************************************************/ void SDA_057( SINT_32 p_var ) { SINT_32 result1 = g_var * p_var; /* ... */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
Use of symbolic names is preferred to literal values in the code. However, character and string literals are permitted as an exception, provided they appear only once.
#include "c_standards.h" void SDA_058( void ); /********************************************************************** * Static Data Flow Analysis 58 D : Character or string literal re-used **********************************************************************/ void SDA_058( void ) { CHAR str1[] = {'a', 'b', 'c'}; CHAR str2[] = {'d', 'a', 'f'}; /* 'a' already present in str1 */ CHAR str3[] = {'x', 'y', 'b'}; /* 'b' already present in str1 */ CHAR * some_string = "Hello World"; CHAR * another_string = "Hello World"; /* "Hello World" already assigned to some_string */ /* ... */ } /* * Copyright (c) 2007 Liverpool Data Research Associates * */
HIC++ | : | 10.1 |
Any non-pointer parameter, whose value is not intended to change, should be protected by the use of const. By making the use of the parameter explicit leads to greater precision in the definition of the function interface. Pointer parameters are covered by standard 603 S.
#include "c_standards.h" /********************************************************************** * Standard 59 D : Parameter should be declared const **********************************************************************/ UCHAR glob; static void sda_059( UCHAR par1, /* Not compliant */ UCHAR par2 /* Compliant */ ) { par2 = glob; glob = par1; } /* * Copyright (c) 2007 Liverpool Data Research Associates * */
An external object shall only be declared once. The preferred approach is to place an extern declaration in a single header file to be shared by those files that provide a definition of, or wish to use, the object.
#include "c_standards.h" extern SINT_32 some_int; /* initial ext. declaration */ /* * Standard 60 D : External object should be declared only once. * A/Ref: */ extern SINT_32 some_int; /* not ok - multiple ext. declaration */ void sda_060( void ); SINT_32 some_int = 0; /* definition */ void sda_060( void ) { ; } /* * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Procedures shall have internal linkage unless external linkage is required. That is, the static storage-class specifier must be applied to procedures that are only called from within the same file. The visibility of a procedure is therefore limited to the required minimum, thereby reducing the possibility for confusion with another identifier with the same name.
This standard does not apply to member functions, which are covered by standard 79 D.
#include "c_standards.h" /* * Standard 61 D : Procedure should be declared static. * */ int main(void) { sda_061(); return 0; } /* * Copyright (c) 2007 Liverpool Data Research Associates * */ /* * Standard 61 D : Procedure should be declared static. * */ void sda_061( void ); static void helper_proc1( void ); /* ok */ void helper_proc2( void); /* not ok - should be static as * procedure is not called anywhere * in system outside of this file. */ static void helper_proc1( void ) { ; } void helper_proc2( void) { ; } void sda_061( void ) { helper_proc1(); helper_proc2(); /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
CERT-C | : | DCL15-C | ||
CWE | : | 736 | ||
ESA-BSSC | : | 63 | ||
MISRA-AC | : | 8.10, 8.11 | ||
MISRA-C++:2008 | : | 3-3-1 | ||
MISRA-C:2004 | : | 8.10, 8.11 | ||
NETRINO | : | 1.8.a, 6.2.e | ||
SEC-C | : | M2.2.2, M2.2.3 |
The const qualifier should be applied to pointer parameters that address data not subject to change. Const-ness of data should be made explicit in all applicable cases to indicate where protection is required.
#include "c_standards.h" /* * Standard 62 D : Pointer parameter should be declared const. * A/Ref: */ void sda_062( UINT_32 * pptr1, const UINT_32 * pptr2, UINT_32 * pptr3 ); /* not ok - should be const */ void sda_062( UINT_32 * pptr1, const UINT_32 * pptr2, UINT_32 * pptr3 ) { *pptr1 = *pptr2 + *pptr3; /* data at address pptr3 not changed */ /***/ } /* * Copyright (c) 2007 Liverpool Data Research Associates * */
CERT-C | : | DCL13-C | ||
CWE | : | 736 | ||
HIC++ | : | 11.5 | ||
HIS | : | 81 | ||
MISRA-AC | : | 16.7 | ||
MISRA-C++:2008 | : | 7-1-2 | ||
MISRA-C:1998 | : | 81 | ||
MISRA-C:2004 | : | 16.7 | ||
NETRINO | : | 1.8.b | ||
SEC-C | : | M1.11.1 |
This standard is not applicable to java.
Procedures with external linkage shall have a definition provided in at least one of the translation units in the system.
#include "c_standards.h" /* * Standard 63 D : No definition in system for prototyped procedure. * A/Ref: */ void sda_063_1( void ); void sda_063_2( void ); /* Not ok */ void sda_063_1( void ) { /***/ } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
This standard is not applicable to java.
Local variables shall be initialised at declaration. To adopt a strategy of initialing before the first access, but after declaration, invites the highly likely case that an access will be added prior to the intialisation. Access of a varaible which has not been explictly initialised may lead to unexpected results or even a failure.
#include "c_standards.h" /* * Standard 64 D : Local not initialised at declaration. * A/Ref: */ UINT_32 sda_064_1( void ); UINT_32 sda_064_1( void ) { UINT_32 local_int; /***/ local_int = 0U; /***/ local_int++; /***/ return local_int; } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
A function with void return type must shall have external side effects. Failure to contribute to the generation of any outputs may not be what the developer intended or expects.
This standard does not apply to constructors or destructors.
#include "c_standards.h" /* * Standard 65 D : void function has no side effects. * */ void_32 sda_065_1( void ); void sda_065_1( void ) { UINT_32 local_int = 1; /***/ local_int++; /***/ } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
Loop control variables other than the loop counter shall be Boolean in order to make the code easier to understand.
#include "c_standards.h" /* * Standard 66 D : Non boolean control variable modified in loop. * A/Ref: */ extern UINT_16 sda_066_2( void ); void sda_066_1( void ); void sda_066_1( void ) { SINT_32 loop; UINT_16 u8a = 0U; BOOL flag = FALSE; for( loop = 0; (loop < 10 ) && ( u8a != 42U ); ++loop ) /* Not ok */ { u8a = sda_066_2(); } for( loop = 0; (loop < 10 ) && flag; ++loop ) /* Ok */ { u8a = sda_066_2(); flag = u8a != 42U; } } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 6-5-6 |
Procedures that have global variable side effects shall be avoided as their invocation may result in unexpected results when the order of evaluation in the calling expression is significant.
#include "c_standards.h" /* * Standard 67 D : Void function has global variable side effects. * A/Ref: */ UINT_32 global = 0U; void sda_067_1( UINT_32 p1, UINT_32 p2 ); void sda_067_2( UINT_32 p3 ); void sda_067_1( UINT_32 p1, UINT_32 p2 ) { global = (global + p1) * p2; } void sda_067_2( UINT_32 p3 ) { sda_067_1( p3++, p3++ ); /* 'global' will be evaluated differently depending on which parameter is evaluated first */ } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
LMTCP | : | 286 |
This standard is not applicable to java.
Procedures that have persistent local side effects shall be avoided as their invocation may result in unexpected results when the order of evaluation in the calling expression is significant.
#include "c_standards.h" /* * Standard 68 D : Void function has persistent local side effects. * A/Ref: */ void sda_068_1( UINT_32 p1, UINT_32 p2 ); void sda_068_2( UINT_32 p3 ); void sda_068_1( UINT_32 p1, UINT_32 p2 ) { static UINT_32 var_1; /* ... */ var_1 = (var_1 + p1) * p2; /* 'var_1' will be evaluated differently depending on which parameter is evaluated first */ } void sda_068_2( UINT_32 p3 ) { sda_068_1( p3++, p3++ ); } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
This standard is not applicable to java.
A particular variable is used before it is given a value. This result is generated regardless of whether a compiler claims to initialise all or some of the variables.
#include "c_standards.h" /* * Standard 69 D : UR anomaly, variable used before assignment. * A/Ref: */ void sda_069_1( void ); void sda_069_1( void ) { UINT_32 var_1; /* ... */ var_1++; if( var_1 < 42U ) { /* ... */ } else { /* ... */ } } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
CAST | : | 5.13.4 | ||
CERT-C | : | ERR30-C, EXP33-C | ||
CMSE | : | 13.1.4 | ||
CWE | : | 457, 665, 758, 824 | ||
DERA | : | 30 | ||
EADS-C++ | : | 31 | ||
GJB | : | 4.13.1.4 | ||
HIC++ | : | 8.4.3 | ||
HIS | : | 30 | ||
JPL | : | 7 | ||
JSF++ AV | : | 142 | ||
LMTCP | : | 257 | ||
MISRA-AC | : | 9.1 | ||
MISRA-C++:2008 | : | 8-5-1 | ||
MISRA-C:1998 | : | 30 | ||
MISRA-C:2004 | : | 9.1 | ||
SEC-C | : | R1.1.1 |
DU anomalies are unnecessary and can always be removed with a consequent improvement in the readability and efficiency of the code.
#include "c_standards.h" /* * Standard 70 D : DU anomaly, variable value is not used. * A/Ref: */ void sda_070_1( const UINT_32 p1 ); void sda_070_1( const UINT_32 p1 ) { UINT_32 var_1 = 0U; /* ... */ var_1++; if( p1 < 42U ) { /* ... */ } else { /* ... */ } } /* * * Copyright (c) 2008 Liverpool Data Research Associates * */
All exceptions shall be handled in all paths to that exception with a handler of a compatible type. Termination of an unhandled exception is implementation-defined.
#include "c_standards.h" /* * Standard 71 D : No matching catch for throw in called function. */ class Caught {}; class NotCaught {}; void sda_071_1( const UINT_32 p1 ); void sda_071_1( const UINT_32 p1 ) { try { if ( p1 > 1U ) { throw Caught(); } else { throw NotCaught(); } } catch ( Caught const & ) { } } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to c.
The value of an expression shall be the same under any order of evaluation. Function calls can prevent this reliance if they have additional effects, such as modifying global data or a passed parameter. Side-effects are viewed as unspecified behaviour and considered to be a portability issue.
#include "c_standards.h" /* * Standard 72 D : Potential side effect problem in expression. */ void sda_072_1( UINT_32 p1 ); UINT_32 sda_072_2( UINT_32 * p2 ); UINT_32 arr[] = {1, 2, 3}; UINT_32 sda_072_2( UINT_32 * p2 ) { (*p2)++; return 1; } void sda_072_1( UINT_32 idx ) { UINT_32 p1; p1 = arr[idx] + sda_072_2(idx ); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
The loop counter shall only be modified in the expression part of the statement, to attain greater maintainability.
#include "c_standards.h" static void SDA_073( void); /* * Standard 73 D : Predicate variable modified in condition. */ SINT_32 ss = 0; SINT_32 st = 0; static void SDA_073( void) { while( st > ss && (ss = 1) < 10 ){} /* Not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 6-5-3 |
The value of an expression shall be the same under any order of evaluation. Repeated function calls can prevent this reliance if they have additional effects, such as modifying global data or a passed parameter. Side-effects are viewed as unspecified behaviour and considered to be a portability issue.
#include "c_standards.h" static void SDA_074( void); /* * Standard 74 D : Potential side effect from repeated function call */ SINT_32 f ( SINT_32 * pp ) { *pp = 77; return 6; } SINT_32 x; SINT_32 y; static void SDA_074 ( void) { x = f(&y) + f(&y); /* Not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
A file that is already open shall not be opened again. The practice of multilpe simultaneous file opens is implementation-defined behaviour and may lead to race conditions.
#include "c_standards.h" static void SDA_075( void); /* * Standard 75 D : Attempt to open file pointer more than once */ static void SDA_075( void) { UINT_32 xx; FILE * fptr = fopen("mikes.h","rw"); fscanf(fptr,"%d",&xx ); if( xx == 0 ) { fptr = fopen("mikes.h","rw"); /* Not compliant */ } else { } } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
All defined procedures shall be called at least once or removed. Uncalled procedures indicate a possible defect in the code.
#include "c_standards.h" static void SDA_076 (void); /* * Standard 76 D : Procedure not called in code analysed */ static void SDA_076 ( void) { /* Not compliant */ } SINT_32 main(void) { } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
A function shall not return a structure object that contains a pointer to a local object. Following return of control to the calling function the local object will have gone out of scope and no longer exist.
#include "c_standards.h" /* * Standard 77 D : Local structure returned in function result */ struct tag { UCHAR * uptr; }; static struct tag SDA_077 (void) { UCHAR loc = 42; struct tag rtag; rtag.uptr = &loc; return rtag; /* Not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Global variables should be declared constant wherever possible to avoid unintentional modification, thereby helping to ensure the correctness and security of applications.
Local variables are covered by standard 93 D.
#include "c_standards.h" static void SDA_078( void); /* * Standard 78 D : Variable should be declared const. */ UCHAR glob=9; /* Not compliant */ static void SDA_078( void ) { UCHAR loc; loc = glob; } int main(void) { SDA_078( ); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Member functions should be declared static wherever possible to avoid unintentional modification, thereby helping to ensure the correctness and security of applications.
Non-member functions are covered by standard 61 D.
#include "c_standards.h" /* * Standard 79 D : Member function should be declared static. */ void sda_079_1( void ); class Student { public: /***/ Student() { m_NumStudents++; } static UINT_32 m_NumStudents; UINT_32 getTotal( void ) { return m_NumStudents; } }; void sda_079_1( void ) { /* ... */ UINT_32 total; Student my_student; total = my_student.getTotal(); /* ... */ } int main( void ) { sda_079_1(); return 0; } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 9-3-3 |
This standard is not applicable to c.
The status returned by input/output functions should be checked and errors handled appropriately. Failure to check file operation errors may lead to unexpected behaviour.
#include "c_standards.h" static void SDA_080( void); /* * Standard 80 D : Potentially unused function return value. */ static SINT_32 func(SINT_32 pp) { return pp; } static void SDA_080( void) { SINT_32 x; x = func(1); /* Not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
Removing an open file is implementation defined, and may lead to abnormal termination or a failure to delete files. The latter has security implications as a result of unintended information disclosure. A more strongly defined function should be considered instead of remove().
#include "c_standards.h" static void SDA_081( void); /* * Standard 81 D : Attempt to remove an open file. */ FILE * fptr; static void SDA_081( void) { fptr = fopen("mikes.h","r"); remove("mikes.h"); /* Not compliant */ fclose(fptr); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Do not use values for fsetpos() that have not been obtained by a prior successful call to fgetpos(). Any other values for pos result in undefined behaviour, which could provide a user with unauthorised access to data being read from the file.
#include "c_standards.h" #include <stdio.h> /* * Standard 82 D : fsetpos values not generated by fgetpos. */ static void SDA_082( void) { FILE * fptr; struct {SINT_32 ff;}astr; fpos_t * anoffset = &astr; fptr = fopen("afile.h","w"); fsetpos(fptr,anoffset); /* Not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Calls to ungetc() should be separated by successful calls to a file positioning function such as fseek(), fsetpos(), or rewind(). Improper use of ungetc may cause data to be truncated or lost.
#include "c_standards.h" #include <stdio.h> static void SDA_083( SINT_32 par ); /* * Standard 83 D : Potentially repeated call to ungetc. */ SINT_32 ch; FILE * fptr; static void SDA_083( SINT_32 par ) { if( par == 341 ) { ungetc(ch,fptr); } if( par > 0 ) { ungetc(ch,fptr); /* Not compliant */ } } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Input and ouptut from a stream shall be separated by successful calls to a fflush() or a file positioning function such as fseek(), fsetpos(), or rewind() to avoid undefined behaviour arising.
#include "c_standards.h" #include <stdio.h> #include <string.h> static void SDA_084( void); /* * Standard 84 D : No fseek or flush before I/O. */ static void SDA_084( void) { int c,i; char data[256],append_data[256]; FILE *fp1; strcpy(append_data,"Some data to append"); fp1 = fopen("pf1.txt","a+"); c = getc(fp1); fwrite(append_data,256,1,fp1); if (c != 'o') { /* Not compliant */ fread(data,256,1,fp1); } fclose (fp1); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
File names originating from untrusted source should be validated to ensure that the file name refers to an expected and valid file. Typically this will require the file name to be an absolute path name. Validation addresses the exploitable vulnerability whereby access to an unintended file is permitted.
#include "c_standards.h" #include <stdio.h> #include <string.h> static void SDA_085( void); /* * Standard 85 D : Filename not verified before fopen. */ static void SDA_085( void) { char ok_file_name[256],bad_file_name1[256],bad_file_name2[256]; FILE *fp1,*fp2,*fp3; strcpy(ok_file_name,"/home/ldra.txt"); scanf("%s %s",bad_file_name1,bad_file_name2); if (strcmp(bad_file_name2,"bad_file.txt") != 0) { /* Not compliant */ fp2 = fopen(bad_file_name1,"w"); /* No error here because the file name has been mentioned in a conditional */ fp3 = fopen(bad_file_name2,"w"); } fclose (fp1); fclose (fp2); fclose (fp3); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
User imput shall be excluded from format string specifiers. Users with control of format string content can attack a vulnerable process, permitting access to the stack or heap memory.
#include "c_standards.h" #include <stdio.h> #include <string.h> static void SDA_086( void); /* * Standard 86 D : User input not checked before use. */ static void SDA_086( void) { char input_string1[256],input_string2[256]; scanf("%s %s",input_string1,input_string2); if (input_string2 != NULL) { /* Not compliant */ fprintf(stderr,input_string1); } } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
Non-volatile shared objects shall not be used in signal handlers. Access to a shared object in signal handlers is viewed as undefined behaviour, and may lead to race conditions.
#include "c_standards.h" #include <signal.h> #include <string.h> #include <stdlib.h> #include <stdio.h> void SDA_087(void); void my_handler2(int signum); void my_handler1(int signum); /* * Standard 87 D : Illegal shared object in signal handler. */ int glob_var; volatile sig_atomic_t e_flag=0; /* * This is a non-compliant signal handler because it accesses glob_var * which is an ordinary integer */ void my_handler1(int signum) { glob_var = 99; fprintf(stderr,"Signal %d encountered\n",signum); } /* * This is a compliant signal handler because it only accesses e_flag * which is a volatile type */ void my_handler2(int signum) { e_flag = 99; fprintf(stderr,"Signal %d encountered\n",signum); } void SDA_087(void) { signal(SIGINT,my_handler1); signal(SIGHUP,my_handler2); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
The longjmp() function shall not be invoked in signal handlers. The use of longjmp in signal handlers can lead to undefined behaviour - likely to compromise the integrity of the program - if as a result calling longjmp(), a function with side-effects is invoked.
#include "c_standards.h" #include <signal.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <setjmp.h> void SDA_088(void); void my_handler1(int signum); /* * Standard 88 D : Illegal use of longjmp in signal handler. */ static jmp_buf env; /* * This is a non-compliant signal handler because it uses longjmp */ void my_handler1(int signum) { fprintf(stderr,"Signal %d encountered\n",signum); longjmp(env,1); } void SDA_088(void) { setjmp(env); signal(SIGINT,my_handler1); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
The raise() funciton shall not be invoked by a signal handler. If a signal occurs as a result of calling abort or raise, then a further call to raise gives rise to recursion leading to undefined behaviour.
#include "c_standards.h" #include <signal.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <setjmp.h> void SDA_088(void); void my_handler1(int signum); /* * Standard 89 D : Illegal use of raise in signal handler. */ static jmp_buf env; void my_handler1(int signum) { fprintf(stderr,"Signal %d encountered\n",signum); } /* * This is a non-compliant signal handler because it uses raise */ void my_handler2(int signum) { fprintf(stderr,"Signal %d encountered\n",signum); raise(SIGUSR1); } void SDA_089(void) { signal(SIGUSR1,my_handler1); signal(SIGINT,my_handler2); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
For multi-threaded applications, resources that are shared between threads - that is, global objects, shall be guarded to prevent simultaneous use, by means of mutual exclusion (mutex) algorithms.
#include "c_standards.h" /* * Standard 90 D : Unguarded global used in threaded function. */ /* * Simple deadlock * Threaded functions which lock a mutex. * lock/unlock in wrong order in funcB-- another type of race condition. */ #include <stdio.h> // #include <unistd.h> #include <stdlib.h> #include <math.h> #include <sys/types.h> #include <semaphore.h> #include <pthread.h> #define NumOfThreads 2 int ind[] = {0,1}; pthread_mutex_t mutexA; static pthread_t TheThread[NumOfThreads]; void *funcA( void * arg ); void *funcB( void * arg ); int count = 0; int main() { int i, status; if ( pthread_mutex_init(&mutexA , NULL) != 0){ printf("Error initialising mutex\n");} pthread_create( &TheThread[0], NULL, funcA , &ind[0]); pthread_create( &TheThread[1], NULL, funcB , &ind[1]); for(i=0;i <NumOfThreads;i++) { pthread_join(TheThread[i], (void **)&status ); // Exit the threads } } void *funcA( void * arg ){ int *i = (int*)arg; printf("Thread number %d\n", *i); pthread_mutex_lock(&mutexA); count++; pthread_mutex_unlock(&mutexA); return 0; } void *funcB( void * arg ){ int *i = (int*)arg; printf("Thread number %d\n", *i); pthread_mutex_unlock(&mutexA); /* not compliant */ count++; pthread_mutex_lock(&mutexA); return 0; } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
CWE | : | 362 |
This standard is not applicable to java.
The value returned by a function should be used or discarded using (void).
#include "c_standards.h" /******************************************************************* * Standard 91 D : Function return value not used. *******************************************************************/ UINT_32 return_unsigned ( void ); void SDA_091 ( void ) { UINT_32 unused1; unused1 = return_unsigned ( ); /* not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
A virtual function of a class should not called from its constructors or destructor. This may lead to unexpected behaviour, as for example when a constructor of a derived class calls the virtual function of the base class instead of the derived class.
A virtual function can be used in a constructor or destructor, if the function can be determined statically using the scope resolution operator (::).
/******************************************************************* * Standard 92 D : C'tor/d'tor calls virtual function. *******************************************************************/ class Data { public: Data ( ) { virt_fun ( ); } /* not compliant */ ~Data ( ) { virt_fun ( ); } /* not compliant */ virtual void virt_fun ( ) { ; } }; class Data2 { public: Data2 ( ) { Data2::virt_fun2 ( ); } /* compliant */ ~Data2 ( ) { Data2::virt_fun2 ( ); } /* compliant */ virtual void virt_fun2 ( ) { ; } }; /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to c and java.
Local variables should be declared constant wherever possible to avoid unintentional modification, thereby helping to ensure the correctness and security of applications.
Global variables are covered by standard 78 D.
#include "c_standards.h" /******************************************************************* * Standard 93 D : Local variable should be declared const. *******************************************************************/ void SDA_093 ( void ) { UINT_32 local = 44U; use_uint(local); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
This variable has been declared, but not used and hence can be removed.
#include "c_standards.h" /******************************************************************* * Standard 94 D : Named variable declared but not used in code. *******************************************************************/ UINT_32 SDA_094( void ) { UINT_32 v_1; UINT_32 v_2; /* Not Compliant */ v_1 = 0; return v_1; } /* * * Copyright (c) 2011 Liverpool Data Research Associates * */
CAST | : | 5.16.8, 5.16.18 | ||
CERT-C | : | MSC13-C | ||
CMSE | : | 1.2.10, 1.2.11 | ||
CWE | : | 563 | ||
DERA | : | 143 | ||
GJB | : | 5.2.1, 5.2.2 | ||
MISRA-C++:2008 | : | 0-1-3 |
Some authorities believe that the use of global function pointers is bad programming practice. Certainly it is more difficult to reuse procedures that use such pointers. Furthermore, the order of initialisation across translation units is unspecified, and so any module which contains the appropriate declaration may access a global function pointer defined elsewhere before it has received an initial value.
This standard will also be generated for procedures that indirectly access global function pointers through procedure calls. Checks on global function pointers are covered by 10 D.
extern void gf1(void); void (*gfptr)(void) = &gf1; void SDA_095(void) { gfptr(); /* Not Compliant */ } /* * Copyright (c) 2011 Liverpool Data Research Associates * */
The cross referencer checks that the types of variables used across the system are identical.
#include "c_standards.h" /******************************************************** * XREF VIOLATION 1 X : Declaration types don't match across a system. ********************************************************/ UINT_32 xref_1; SINT_32 xref_1; void dummy(void); void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | ARR31-C | ||
CWE | : | 129, 758 | ||
DERA | : | 26 | ||
HIS | : | 26 | ||
MISRA-AC | : | 8.4 | ||
MISRA-C++:2008 | : | 3-2-1 | ||
MISRA-C:1998 | : | 26 | ||
MISRA-C:2004 | : | 8.4 |
#include "c_standards.h" /******************************************************** * XREF VIOLATION 2 X : Ambiguous declaration of variable. ********************************************************/ UINT_32 xref_1; SINT_32 xref_1; void dummy(void); void dummy(void) { /* ... */ } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
A variable has been defined but not subsequently referenced. Unused variables are indicative of programming errors and should be checked and, if not required, removed from the code.
#include "c_standards.h" void XREF_003( SINT_32 p_var ); const SINT_32 g_var = 1; /******************************************************** * XREF VIOLATION 3 X : Variable has only one use. ********************************************************/ void XREF_003( SINT_32 p_var ) { SINT_32 result1 = g_var * p_var; /* Some code which makes no further reference to 'result1'... */ } /* * Copyright (c) 2006 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 0-1-4 |
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 4 X : Identifier reuse: struct/union tag repeated * A/Ref: *******************************************************************/ void foo(void); void bar(void); void bar(void) { struct stag_name /* Not compliant */ { UINT_32 us1; UINT_32 us2; } sobj1; struct stag_name sobj2 = {1, 2}; /* Compliant */ /***/ } void foo(void) { struct stag_name /* Not compliant */ { SINT_32 ss1; CHAR ch1; } sobj3; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 5 X : Identifier reuse: struct vs union * A/Ref: *******************************************************************/ void foo(void); union utag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; union utag_name uobj2 = {'a'}; /* Compliant */ void foo(void) { struct utag_name /* Not compliant */ { UINT_32 ss1; UINT_32 ss2; } sobj1; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 6 X : Identifier reuse: struct/union tag vs enum tag * A/Ref: *******************************************************************/ void foo(void); union utag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; void foo(void) { enum utag_name /* Not compliant */ { first, second } sobj1; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 7 X : Identifier reuse: tag vs procedure * A/Ref: *******************************************************************/ void stag_name(void); /* Not compliant */ union stag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; void stag_name(void) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
MISRA-AC | : | 5.4, 5.5, 5.6 | ||
MISRA-C++:2008 | : | 2-10-4, 2-10-5 | ||
MISRA-C:2004 | : | 5.4, 5.5, 5.6 | ||
SEC-C | : | M1.7.1 |
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 8 X : Identifier reuse: tag vs procedure parameter * A/Ref: *******************************************************************/ void foo(UINT_32 utag_name); /* Not compliant */ union utag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; void foo(UINT_32 utag_name) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 9 X : Identifier reuse: tag vs variable * A/Ref: *******************************************************************/ void foo(void); union utag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; void foo(void) { UINT_32 utag_name; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 10 X : Identifier reuse: tag vs label * A/Ref: *******************************************************************/ void foo(void); union utag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; void foo(void) { /***/ utag_name: /* Not compliant */ uobj1.us1 = 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 11 X : Identifier reuse: tag vs typedef * A/Ref: *******************************************************************/ typedef double utag_name; /* Not compliant */ void foo(void); union utag_name /* Not compliant */ { SINT_32 us1; CHAR us2; } uobj1; void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
MISRA-AC | : | 5.3, 5.4, 5.6 | ||
MISRA-C++:2008 | : | 2-10-4, 2-10-6 | ||
MISRA-C:2004 | : | 5.3, 5.4, 5.6 | ||
SEC-C | : | M1.7.1 |
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
/* FILE 1 */ #define s_tag2 sn1 #include "c_standards.h" /******************************************************************* * Standard 12 X : Identifier reuse: tag vs macro * A/Ref: *******************************************************************/ typedef struct s_tag /* Not compliant */ { UINT_32 comp1; UINT_32 comp2; } s_type; void foo(void); extern void bar(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define s_tag sn2 #define u_tag sn3 #include "c_standards.h" /******************************************************************* * Standard 12 X : Identifier reuse: tag vs macro * A/Ref: *******************************************************************/ typedef struct s_tag2 /* Redefinition of macro in file 1 */ { UINT_32 comp3; UINT_32 comp4; } s_type2; typedef union u_tag /* ok, in-file macro substitution renders this 'sn3' prior to check */ { SINT_32 us1; CHAR us2; } u_type; extern void foo(void); void bar(void); void bar() { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 13 X : Identifier reuse: tag vs component * A/Ref: *******************************************************************/ typedef struct stag_name /* Not compliant */ { UINT_32 comp1; UINT_32 comp2; } stag_type; void foo(void); void foo(void) { struct sloctag_name { UINT_32 stag_name; /* Not compliant */ } sobj1; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 14 X : Identifier reuse: tag vs enum constant * A/Ref: *******************************************************************/ typedef struct s_name1_tag /* Not complaint */ { UINT_32 comp1; UINT_32 comp2; } s_name1_type; typedef enum e_name1_tag { first, s_name1_tag /* Not compliant */ } e_name1_type; void foo(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Tag names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the type definition, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 15 X : Identifier reuse: persistent var vs tag * A/Ref: *******************************************************************/ void foo(void); static UINT_32 static_var2; /* Not compliant */ void foo(void) { struct static_var2 /* Not compliant */ { UINT_32 xx1; UINT_32 yy1; } ss1; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 16 X : Identifier reuse: typedef vs variable * A/Ref: *******************************************************************/ typedef char t_name; /* Not compliant */ void foo(void); void foo(void) { UINT_32 t_name; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 17 X : Identifier reuse: typedef vs label * A/Ref: *******************************************************************/ UINT_32 foo(void); void bar(void); void bar(void) { typedef char lab_name; /* Not compliant */ /***/ } UINT_32 foo(void) { UINT_32 retval = 0; lab_name: /* Not compliant */ /***/ return retval; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 18 X : Identifier reuse: typedef vs typedef * A/Ref: *******************************************************************/ void foo(void); void bar(void); void foo(void) { typedef double t_name; /* Not compliant */ t_name local_foo_var; /***/ } void bar(void) { typedef char t_name; /* Not compliant */ t_name local_bar_var; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 19 X : Identifier reuse: typedef vs procedure parameter * A/Ref: *******************************************************************/ typedef char t_name; void foo(UINT_32 t_name); /* Not compliant */ void foo(UINT_32 t_name) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 20 X : Identifier reuse: persistent var vs typedef * A/Ref: *******************************************************************/ typedef double static_var1; /* Not compliant */ void foo(void); void foo(void) { static UINT_32 static_var1; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
/* FILE 1 */ #include "c_standards.h" /******************************************************************* * Standard 21 X : Identifier reuse: typedef vs macro * A/Ref: *******************************************************************/ typedef int s_tag; /* Not compliant */ void foo(void); void foo() { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define s_tag sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 21 X : Identifier reuse: typedef vs macro * A/Ref: *******************************************************************/ void bar(void); void bar() { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 22 X : Identifier reuse: typedef vs component * A/Ref: *******************************************************************/ typedef struct my_struct_tag { UINT_32 comp1; UINT_32 t_name; /* Not compliant */ } my_struct_type; typedef char t_name; /* Not compliant */ void foo(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 23 X : Identifier reuse: typedef vs enum constant * A/Ref: *******************************************************************/ void foo(void); void bar(void); void foo(void) { typedef struct s_tag { UINT_32 comp1; UINT_32 comp2; } s_type; /* Not compliant */ /***/ } void bar(void) { typedef enum e_tag { first, s_type /* Not compliant */ } e_type; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Typedef names shall not be reused anywhere within a program, other than through the inclusion of a header file, containing the typedef, in multiple source files.
#include "c_standards.h" /******************************************************************* * Standard 24 X : Identifier reuse: typedef vs procedure * A/Ref: *******************************************************************/ void proc1(void); /* Not compliant */ void proc2(void); void proc1(void) /* Not compliant */ { /***/ } void proc2(void) { typedef char proc1; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 25 X : Identifier reuse: procedure vs procedure param * A/Ref: *******************************************************************/ static void proc1(UINT_32 param, /* Not compliant */ UINT_32 another_param); static void proc2(UINT_32 proc1); static void proc1(UINT_32 param, /* Not compliant */ UINT_32 another_param) { /***/ } static void proc2(UINT_32 proc1) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 26 X : Identifier reuse: persistent var vs label * A/Ref: *******************************************************************/ void foo(void); UINT_32 bar(void); void foo(void) { static UINT_32 s_var; /* Not compliant */ /***/ } UINT_32 bar(void) { s_var: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 27 X : Identifier reuse: persist var vs persist var * A/Ref: *******************************************************************/ void foo(void); UINT_32 p_var; /* Not compliant */ void foo(void) { static UINT_32 p_var; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 28 X : Identifier reuse: persistent var vs var * A/Ref: *******************************************************************/ void foo(void); UINT_32 var1; /* Not compliant */ void foo(void) { UINT_32 var1; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 29 X : Identifier reuse: persistent var vs procedure * A/Ref: *******************************************************************/ void foo(void); /* Not compliant */ void bar(void); void foo(void) /* Not compliant */ { /***/ } void bar(void) { static UINT_32 foo; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 30 X : Identifier reuse: persistent var vs proc param * A/Ref: *******************************************************************/ void foo(UINT_32 pp); /* Not compliant */ void bar(void); void foo(UINT_32 pp) /* Not compliant */ { /***/ } void bar(void) { static UINT_32 pp; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /* FILE 1 */ /******************************************************************* * Standard 31 X : Identifier reuse: procedure vs procedure * A/Ref: *******************************************************************/ void foo(UINT_32 pp); void foo(UINT_32 pp) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ #include "c_standards.h" /* FILE 2 */ /******************************************************************* * Standard 31 X : Identifier reuse: procedure vs procedure * A/Ref: *******************************************************************/ static void foo(void); static void foo(void) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to c++ and java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 32 X : Identifier reuse: procedure vs var * A/Ref: *******************************************************************/ void foo(void); /* Not compliant */ void bar(void); void foo(void) /* Not compliant */ { /***/ } void bar(void) { UINT_32 foo; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 33 X : Identifier reuse: procedure vs label * A/Ref: *******************************************************************/ void foo(void); /* Not compliant */ UINT_32 bar(void); void foo(void) /* Not compliant */ { /***/ } UINT_32 bar(void) { foo: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
/* FILE 1 */ #include "c_standards.h" /******************************************************************* * Standard 34 X : Identifier reuse: proc vs macro * A/Ref: *******************************************************************/ void foo(void); /* Not compliant */ void foo() /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define foo sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 34 X : Identifier reuse: proc vs macro * A/Ref: *******************************************************************/ void bar(void); void bar() { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 35 X : Identifier reuse: proc vs component * A/Ref: *******************************************************************/ struct s_tag { UINT_32 comp1; /* Not compliant */ UINT_32 comp2; } s_obj; void comp1(void); /* Not compliant */ void comp1(void) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 36 X : Identifier reuse: proc vs enum constant * A/Ref: *******************************************************************/ void foo(void); /* Not compliant */ void bar(void); void foo(void) /* Not compliant */ { /***/ } void bar(void) { enum e_tag { first, second, foo /* Not compliant */ } e_obj; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
/* FILE 1 */ #include "c_standards.h" /******************************************************************* * Standard 37 X : Identifier reuse: persistent var vs macro * A/Ref: *******************************************************************/ void foo(void); void foo() { static UINT_32 p_var = 0; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define p_var sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 37 X : Identifier reuse: persistent var vs macro * A/Ref: *******************************************************************/ void bar(void); void bar() { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 38 X : Identifier reuse: persistent var vs component * A/Ref: *******************************************************************/ struct s_tag { UINT_32 comp1; /* Not compliant */ UINT_32 comp2; } s_obj; void foo(void); void foo(void) { static UINT_32 comp1; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The name of an identifier that is persistent, i.e. with static storage duration, should not be reused across any source files in the system. Objects or procedures with external linkage, and objects or procedures with the static storage class specifier, are persistent. Confusion may arise if two identifiers share the same name.
#include "c_standards.h" /******************************************************************* * Standard 39 X : Identifier reuse: persistent var vs enum constant * A/Ref: *******************************************************************/ enum e_tag { first, /* Not compliant */ second } e_obj; void foo(void); void foo(void) { static UINT_32 first; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 40 X : Identifier reuse: component vs var * A/Ref: *******************************************************************/ struct s_tag { UINT_32 comp1; /* Not compliant */ UINT_32 comp2; } s_obj; void foo(void); void foo(void) { UINT_32 comp1; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 41 X : Identifier reuse: label vs var * A/Ref: *******************************************************************/ void foo(void); UINT_32 bar(void); void foo(void) { UINT_32 u_var; /* Not compliant */ /***/ } UINT_32 bar(void) { u_var: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 42 X : Identifier reuse: component vs procedure param * A/Ref: *******************************************************************/ struct s_tag { UINT_32 comp1; /* Not compliant */ UINT_32 comp2; } s_obj; void foo(UINT_32 comp2); /* Not compliant */ void foo(UINT_32 comp2) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 43 X : Identifier reuse: label vs procedure param * A/Ref: *******************************************************************/ void foo(UINT_32 u_var); UINT_32 bar(void); void foo(UINT_32 u_var) /* Not compliant */ { /***/ } UINT_32 bar(void) { u_var: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 44 X : Identifier reuse: component vs enum constant * A/Ref: *******************************************************************/ struct s_tag { UINT_32 comp1; /* Not compliant */ UINT_32 comp2; } s_obj; enum e_tag { comp1, /* Not compliant */ two } e_obj; void foo(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 45 X : Identifier reuse: component vs label * A/Ref: *******************************************************************/ struct s_tag { UINT_32 lab1; /* Not compliant */ UINT_32 comp2; } s_obj; UINT_32 foo(void); UINT_32 foo(void) { lab1: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
#include "c_standards.h" /******************************************************************* * Standard 46 X : Identifier reuse: label vs enum constant * A/Ref: *******************************************************************/ enum e_tag { lab1, /* Not compliant */ second, } e_obj; UINT_32 foo(void); UINT_32 foo(void) { lab1: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
/* FILE 1 */ #include "c_standards.h" /******************************************************************* * Standard 47 X : Identifier reuse: component vs macro * A/Ref: *******************************************************************/ struct s_tag { UINT_32 comp1; UINT_32 comp2; /* Not compliant */ } s_obj; void foo(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define comp2 sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 47 X : Identifier reuse: component vs macro * A/Ref: *******************************************************************/ void bar(void); void bar(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An identifier name in one name space should not be reused in a different name space, except for structure and union component names. The C language name spaces are:
Members/components of structs and unions; each struct/union as a separate name space.
Struct, union, and enum tags.
Label names.
All other identifiers.
/* FILE 1 */ #include "c_standards.h" /******************************************************************* * Standard 48 X : Identifier reuse: label vs macro * A/Ref: *******************************************************************/ UINT_32 foo(void); UINT_32 foo(void) { lab1: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define lab1 sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 48 X : Identifier reuse: label vs macro * A/Ref: *******************************************************************/ void bar(void); void bar(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 49 X : Identifier reuse: var vs proc param * A/Ref: *******************************************************************/ void foo(UINT_32 pp); /* Not compliant */ void bar(void); void foo(UINT_32 pp) /* Not compliant */ { /***/ } void bar(void) { UINT_32 pp; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
/* FILE 1 */ #include "c_standards.h" /******************************************************************* * Standard 50 X : Identifier reuse: var vs macro * A/Ref: *******************************************************************/ void foo(void); void foo(void) { UINT_32 loc_var = 0; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2 */ #define loc_var sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 50 X : Identifier reuse: var vs macro * A/Ref: *******************************************************************/ void bar(void); void bar(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 51 X : Identifier reuse: var vs enum constant * A/Ref: *******************************************************************/ enum e_tag { first, /* Not compliant */ second } e_obj; void foo(void); void foo(void) { UINT_32 first; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 52 X : Identifier reuse: proc param vs proc param * A/Ref: *******************************************************************/ static void proc1(UINT_32 param); /* Not compliant */ static void proc2(UINT_32 param); /* Not compliant */ static void proc1(UINT_32 param) /* Not compliant */ { /***/ } static void proc2(UINT_32 param) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
/* FILE 1*/ #include "c_standards.h" /******************************************************************* * Standard 53 X : Identifier reuse: proc param vs macro * A/Ref: *******************************************************************/ void foo(UINT_32 param); /* Not compliant */ void foo(UINT_32 param) /* Not compliant */ { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /* FILE 2*/ #define param sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 53 X : Identifier reuse: proc param vs macro * A/Ref: *******************************************************************/ void bar(void); void bar(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 54 X : Identifier reuse: proc param vs enum constant * A/Ref: *******************************************************************/ void foo(UINT_32 param); /* Not compliant */ void bar(void); void foo(UINT_32 param) /* Not compliant */ { /***/ } void bar(void) { enum e_tag { first, second, param /* Not compliant */ } e_obj; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 55 X : Identifier reuse: label vs label * A/Ref: *******************************************************************/ UINT_32 foo(void); UINT_32 bar(void); UINT_32 foo(void) { lab1: /* Not compliant */ /***/ return 0; } UINT_32 bar(void) { lab1: /* Not compliant */ /***/ return 0; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
/* FILE 1*/ #include "c_standards.h" /******************************************************************* * Standard 57 X : Identifier reuse: macro vs enum constant * A/Ref: *******************************************************************/ enum e_tag { first, runnerup /* Not compliant */ } e_obj; void foo(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */ /*FILE 2*/ #define runnerup sn1 /* Not compliant */ #include "c_standards.h" /******************************************************************* * Standard 57 X : Identifier reuse: macro vs enum constant * A/Ref: *******************************************************************/ void bar(void); void bar(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 58 X : Identifier reuse: component vs component * A/Ref: *******************************************************************/ struct s_tag1 { UINT_32 comp1; /* Not compliant */ UINT_32 comp2; } s_obj1; struct s_tag2 { UINT_32 comp1; /* Not compliant */ UINT_32 comp3; } s_obj2; void foo(void); void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 59 X : Identifier reuse: enum constant vs enum constant * A/Ref: *******************************************************************/ void foo(void); void bar(void); void foo(void) { enum e_tag1 { first, /* Not compliant */ runnerup } e_obj1; /***/ } void bar(void) { enum e_tag2 { first, /* Not compliant */ second } e_obj2; /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifier names should not be reused across any files in the system, regardless of scope. This violation captures a specific instance of identifier reuse not explicitly checked under the rules applied by 4 X to 48 X.
#include "c_standards.h" /******************************************************************* * Standard 60 X : Identifier reuse: variable vs variable * A/Ref: *******************************************************************/ void foo(void); void bar(void); void foo(void) { UINT_32 local_var = 0; /* Not compliant */ /***/ } void bar(void) { UINT_32 local_var = 0; /* Not compliant */ /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
Identifiers shall not shall not rely on the significance of more than a limited number of characters, which is typically 31. Compiler support varies, and if the limit is exceeded, behaviour is undefined.
#include "c_standards.h" /******************************************************************* * Standard 61 X : Identifier match in *** chars * A/Ref: *******************************************************************/ void foo(void); UINT_32 global_variable_with_long_name1x; /* Not compliant */ UINT_32 global_variable_with_long_name1y; /* Not compliant */ void foo(void) { /***/ } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
The return type given for a function declaration and definition shall be identical. The base type, qualifiers, and typedef name must all match.
Note that for C++ files, MISRA-C++:2008 checking needs to be enabled in order for this violation to be detected, either via selection of the MISRA-C++:2008 programming model or by configuring the modifier 331 in the creport.dat file. (TBmisra license permitting). Instructions for making alterations can be found in the report.dat file.
#include "c_standards.h" typedef unsigned int ANOTHER_UINT_32; /******************************************************************* * Standard 62 X : Function prototype/defn return type mismatch. *******************************************************************/ ANOTHER_UINT_32 foo(void); UINT_32 foo(void) /* Not compliant */ { UINT_32 ret_val = 0; /***/ return ret_val; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
The formal parameter types given for a function declaration and definition shall be identical. The base type, qualifiers, and typedef name must all match.
#include "c_standards.h" typedef unsigned int ANOTHER_UINT_32; /******************************************************************* * Standard 63 X : Function prototype/defn parameter type mismatch. * A/Ref: *******************************************************************/ UINT_32 foo(ANOTHER_UINT_32 p1); UINT_32 foo(UINT_32 p1) /* Not compliant */ { UINT_32 ret_val = p1; /***/ return ret_val; } /* * * Copyright (c) 2007 Liverpool Data Research Associates * */
This standard is not applicable to java.
An array parameter has been indexed by a value that is not in the range specified for the array.
#include "c_standards.h" /******************************************************************* * Standard 64 X : Array bound exceeded at call. *******************************************************************/ static INT_32 indexArray ( const INT_32 array [] ) { return array[4]; } INT_32 XREF_064 ( void ) { INT_32 array[3] = {1, 2, 3}; return indexArray( array ); /* not compliant */ } INT_32 main ( void ) { return XREF_064 ( ); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
CERT-C | : | ARR30-C | ||
CWE | : | 121, 124, 126, 127, 129, 193, 466, 758, 823 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C:2004 | : | 21.1 |
Some guidelines do not permit the use of continue in complex loops.
#include "c_standards.h" /******************************************************************* * Standard 65 X : Continue in ill-formed loop. *******************************************************************/ static void XREF_065 ( void ) { INT_32 j = -1; INT_32 i; for ( i = 0; i != 10 && j != i; ++i ) { if ( ( i % 2 ) == 0 ) { continue; /* not compliant - loop is not well-formed */ } ++j; } } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
MISRA-C++:2008 | : | 6-6-3 |
When copying from source to destination, the destination must not overrun as a result of the operation. Overrun leads to data corruption. This standard reports problems where the source is a parameter to a procedure. Other situations are covered by standards 489 S, 70 X and 71 X.
/******************************************************************* * Standard 66 X : Insufficient array space at call. *******************************************************************/ void copy (char src_array[]) { char dest_arr[3]; (void) strcpy (dest_arr, src_array); /* not compliant */ } void XREF_066 ( void ) { char arrc[10]; copy(arrc); } int main ( void ) { XREF_066 ( ); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
It is not advisable to use identifiers that appear the same in some typefaces, as this can lead to the developer confusing one identifier with another.
#include "c_standards.h" static void xref_67( void ); /******************************************************************* * Standard 67 X : Identifier is typographically ambiguous. *******************************************************************/ static void xref_67 ( void ) { int32_t id1_a_bc; int32_t id1_ab_c; /* not compliant */ int32_t id2_ii; int32_t id2_11; /* not compliant */ int32_t id3_i0; int32_t id3_1O; /* not compliant */ int32_t id4_in; int32_t id4_1h; /* not compliant */ int32_t id5_Z5; int32_t id5_2S; /* not compliant */ int32_t id6_ZS; int32_t id6_25; /* not compliant */ /***/ ; /***/ } /* * * Copyright (c) 2009 Liverpool Data Research Associates * */
A procedure parameter has been used to index an array and exceeds the range specified for the array.
#include "c_standards.h" /******************************************************************* * Standard 68 X : Parameter indexing array too big at call. *******************************************************************/ static INT_32 XREF_068 ( UINT_32 index ) { INT_32 array[10] = {0}; return array[index]; } INT_32 main ( void ) { return XREF_068( 20U ); /* not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
CERT-C | : | ARR30-C | ||
CWE | : | 121, 124, 126, 127, 129, 193, 466, 758, 823 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C:2004 | : | 21.1 |
An index has been found which is not in the range specified for a globally declared array. This standard is enforced for arrays that are explicitly declared. The use of local arrays or indexing via procedure calls are reported using 47 S, 64 X, 68 X and 72 X.
#include "c_standards.h" INT_32 array[3] = {1, 2, 3}; INT_32 XREF_069 ( void ) { return array[3]; /* not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
CERT-C | : | ARR30-C | ||
CWE | : | 121, 124, 126, 127, 129, 193, 466, 758, 823 | ||
MISRA-AC | : | 21.1 | ||
MISRA-C:2004 | : | 21.1 |
When copying from source to destination, the destination must not overrun as a result of the operation. Overrun leads to data corruption. This standard reports problems where the destination is a parameter to a procedure. Other situations are covered by standards 489 S, 66 X and 71 X.
#include "c_standards.h" /******************************************************************* * Standard 70 X : Array has insufficient space. *******************************************************************/ void copy (char *dest_array) { char src_array[8] = "abcdefg"; (void) strcpy (dest_array, src_array); } void XREF_070 ( void ) { char arr_3[3]; copy(arr_3); /* not compliant */ } int main ( void ) { XREF_070 ( ); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
When copying from source to destination, the destination must not overrun as a result of the operation. Overrun leads to data corruption. This standard reports problems where both the source and destination are parameters to a procedure. Other situations are covered by standards 489 S, 66 X and 70 X.
#include "c_standards.h" /******************************************************************* * Standard 71 X : Insufficient space for copy. *******************************************************************/ void copy (char *dest_array, char *src_array) { (void) strcpy (dest_array, src_array); /* not compliant */ } void XREF_070 ( void ) { char arr_3[3]; char src_array[8] = "abcdefg"; copy(arr_3, src_array); } int main ( void ) { XREF_071 ( ); } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
A procedure parameter has been used to index an array, and is found to have a value less than 0.
#include "c_standards.h" static INT_32 XREF_072 ( INT_32 index ) { INT_32 array[10] = {0}; return array[index]; } #define OFFSET 12 INT_32 main ( void ) { return XREF_072(10-OFFSET); /* not compliant */ } /* * * Copyright (c) 2010 Liverpool Data Research Associates * */
This standard is not applicable to java.
Information flow analysis cannot find any output statement which is affected by this variable.
#include "c_standards.h" UINT_32 InfoFlow001( void ); /******************************************************** * Information Flow 1 I : Local variables contribute nothing to results. ********************************************************/ UINT_32 InfoFlow001( void ) { UINT_32 result = 0; UINT_32 if_1 = 0; /* ... */ return (result); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Procedure Footer * Source Code & Violations Yes Procedure Footer * Reformatted Code Yes Procedure Footer * Individual Quality Report Yes * */
A function call, placed on the right hand side of the logical operator && or ||, or ternary operator, shall not contain parameter side effects. By nature of the expression, the function may not be called depending on the values of the other sub-expressions. This conditional evaluation may not be obvious to all and can lead to mistakes.
#include "C_STANDARDS.H" BOOL Test_q1( UINT_32 Position, UINT_32 *Won); BOOL QUALREP_001(UINT_32 *Places, UINT_32 races); BOOL Test_q1( UINT_32 Position, UINT_32 *Won ) { UINT_32 NewWins = *Won; BOOL bWon = FALSE; if ( Position == 1 ) { bWon = TRUE; NewWins++; } *Won = NewWins; return ( bWon ); } /******************************************************** * Quality Report 1 Q : Call has execution order dependant side effects * ********************************************************/ BOOL QUALREP_001(UINT_32 *Places, UINT_32 races) { BOOL bWonAll = TRUE; UINT_32 WonCount = 0; UINT_32 Race=0; UINT_32 RacePosition; while (Race <races) { RacePosition = Places[Race]; bWonAll = ( bWonAll && ( Test_q1( RacePosition, &WonCount ) ) ); Race++; } return ( WonCount > 0 ); } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code Yes Line * Source Code & Violations Yes Line * Reformatted Code Yes Line * Individual Quality Report Yes * */
CERT-C | : | EXP02-C, EXP10-C, EXP30-C | ||
CWE | : | 737, 758, 768 | ||
DERA | : | 33, 46 | ||
HIC++ | : | 10.3, 10.9 | ||
HIS | : | 33, 46 | ||
JSF++ AV | : | 157, 204 | ||
LMTCP | : | 286, 362 | ||
MISRA-AC | : | 12.2, 12.4 | ||
MISRA-C++:2008 | : | 5-0-1 | ||
MISRA-C:1998 | : | 33, 46 | ||
MISRA-C:2004 | : | 12.2, 12.4 | ||
SEC-C | : | M1.8.1, M3.2.1, R3.6.1 |
This standard is not applicable to java.
The *** symbols refer to a user definable number for this standard. The configuration is made in the <lang>pen.dat file.
#include "C_STANDARDS.H" BOOL isHexDigit( CHAR TestChar ); /******************************************************** * Quality Report 2 Q : LCSAJ density exceeds ***. ********************************************************/ BOOL isHexDigit( CHAR TestChar ) { BOOL bResult; bResult = FALSE; if ((TestChar == '0') || (TestChar == '1') || (TestChar == '2') || (TestChar == '3') || (TestChar == '4') || (TestChar == '5') || (TestChar == '6') || (TestChar == '7') || (TestChar == '8') || (TestChar == '9') || (TestChar == 'A') || (TestChar == 'a') || (TestChar == 'B') || (TestChar == 'b') || (TestChar == 'C') || (TestChar == 'c') || (TestChar == 'D') || (TestChar == 'd') || (TestChar == 'E') || (TestChar == 'e') || (TestChar == 'F') || (TestChar == 'f')) { bResult = TRUE; } return bResult; } /* * Copyright (c) 2001 Liverpool Data Research Associates * * This penalty is reported as follows: * * Report Active Location * * Annotated Source Code No * Source Code & Violations Yes File Header * Reformatted Code Yes File Header * Individual Quality Report Yes Global * */
DERA | : | 145 |
Filenames shall only contain lower case letters. Always using lower case avoids the possibility of conflicts on systems that are not case sensitive.
This standard is not applicable to java.
Include statements must not contain directory (path) information. Portability of the code may be affected by hard-coding paths to files.
This standard is not applicable to java.
CWE | : | 561, 674 | ||
DERA | : | 70 | ||
EADS-C | : | 117 | ||
EADS-C++ | : | 22 | ||
HIS | : | 70 | ||
JPL | : | 1 | ||
JSF++ AV | : | 119 | ||
LMTCP | : | 219 | ||
MISRA-AC | : | 16.2 | ||
MISRA-C++:2008 | : | 7-5-4 | ||
MISRA-C:1998 | : | 70 | ||
MISRA-C:2004 | : | 16.2 | ||
SEC-C | : | R3.3.1 |
CERT-C | : | MSC07-C | ||
CWE | : | 561, 570, 571 | ||
DERA | : | 52 | ||
HIS | : | 52 | ||
JSF++ AV | : | 186 | ||
LMTCP | : | 337 | ||
MISRA-AC | : | 14.1 | ||
MISRA-C++:2008 | : | 0-1-1, 6-6-1 | ||
MISRA-C:1998 | : | 52 | ||
MISRA-C:2004 | : | 14.1 | ||
SEC-C | : | M1.9.1 |
This standard is not applicable to java.
This standard is not applicable to java.