ARR39-C. Do not add or subtract a scaled integer to a pointer was moved during the course of review; it was formerly EXP41-C.
ARR36-C. Do not subtract or compare two pointers that do not refer to the same array has improved code examples. The noncompliant code example takes the address of the local variable and subtracts the array address from it (which will produce the expected behavior on some platforms, but is still forbidden). The compliant code example subtracts from the pointer past the end of the array. Also, the text was changed to refer to element counts rather than byte counts (which contributed nothing to the rule).
ARR30-C. Do not form or use out-of-bounds pointers or array subscriptsNew noncompliant and compliant code examples were added to illustrate addition to a null pointer, as was done by the Mark Dowd flash vulnerability. See
http://www.securityfocus.com/blogs/746 for more information. The code examples that involved a
skip variable were transferred to
ARR38-C. Guarantee that library functions do not form invalid pointers and the code examples involving the
fread() system call were transferred from ARR30-C to
ARR39-C. Do not add or subtract a scaled integer to a pointer.
CON09-C. Avoid the ABA problem when using lock-free algorithms was moved during the course of review; it was formerly CON39-C.
ENV00-C was moved from a recommendation to a rule; it is now
ENV34-C. Do not store pointers returned by certain functions.
ENV04-C was moved from a recommendation to a rule; it is now
ENV33-C. Do not call system() if you do not need a command processor.
ERR30-C. Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure has lost its
signal() and
setlocale() code examples, as they clearly violate
ERR33-C. Detect and handle standard library errors.
EXP44-C. Do not use side effects in operands to sizeof, _Alignof, or _Generic This rule was moved during the course of review; it was formerly EXP06-C.
EXP18-C has been moved from a recommendation to a rule; it is now
EXP45-C. Do not perform assignments in selection statementsDynamic allocation content was moved from
MEM09-C. Do not assume memory allocation functions initialize memory to
EXP33-C. Do not read uninitialized memory.
EXP37-C. Call functions with the correct number and type of arguments The 1st set of code examples was improved to more precisely illustrate that the problem is not with parameter-less function prototype. Due to these improvements, the second NCCE/CS is completely redundant, so it was eliminated. Finally, the third set of code samples, which dealt with a variadic function, actually violated
DCL40-C. Do not create incompatible declarations of the same function or object, so it was moved there.
In
EXP39-C. Do not access a variable through a pointer of an incompatible type, we deleted
code examples that tried to access a float that was unioned with an int that got modified. This works on some machines because of type punning, but it is not guaranteed by C11.
FLP36-C. Preserve precision when converting integral values to floating-point type now uses
PRECISION() and cites
INT35-C. Use correct integer precisions.
FIO21-C. Do not create temporary files in shared directories was moved during the course of review; it was formerly FIO43-C.
FIO34-C. Distinguish between characters read from a file and EOF or WEOF has assimilated the old FIO34-C and FIO35-C and included examples dealing with wide characters.
INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data has a new exception to permit conversion of characters between different character types.
INT32-C. Ensure that operations on signed integers do not result in overflow has several changes:
Finally, it has a mere paragraph describing the behavior of atomic integers- rather than code examples.
INT30-C. Ensure that unsigned integer operations do not wrap now has a single paragraph describing the behavior of atomic integers- rather than code examples. Also, exception 3 allows wrapping on the left-shift operator- and references
INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.
INT11-C was changed to a rule; it is now
INT36-C. Converting a pointer to integer or integer to pointer.
MEM31-C. Free dynamically allocated memory when no longer needed has a new exception (based on the formerly final compliant solution). Memory need not be freed if it can be referenced from static variables.
MEM35-C. Allocate sufficient memory for an object has swallowed
EXP01-C. Do not take the size of a pointer to determine the size of the pointed-to type. It has new "normative" text saying to be sure to use
sizeof on the right type.
DCL41-C. Do not declare variables inside a switch statement before the first case label has a new title- but no other changes.
In
MSC38-C. Do not treat a predefined identifier as an object if it might only be implemented as a macro we updated the wording and replaced one NCCE/CS pair involving
assert() with a different example.
PRE31-C. Do not perform side effects in arguments to unsafe macros has a compliant solution demonstrating the benefits of using a
_Generic selection expression.
SIG31-C. Do not access shared objects in signal handlers we updated the wording and added NCCEs, a CS, and an exception.
STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator now has code examples dealing with
fscanf().
STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string is more limited; it is violated only if the non-null-terminated character sequence is passed to a library function that expects a null-terminated byte string.
In
FLP32-C. Prevent or detect domain and range errors in math functions we updated the
math_errhandling examples to not presume usage of a macro.
I hope everyone enjoyed their holidays. My present this year was that we completed the manuscript for The CERT C Coding Standard (pictured at left).
