Home
|
Rules:
- A function shall have only one return.
Returns from nested code can add significant complexity.
- The goto statement shall be used to handle exceptions and early-exit conditions.
This rule along with the previous rule, helps to ensure that cleanup (or final statements) are executed.
- All functions return an int value; indicating success (0) or error.
Preferably, error values returned are selected from those in errno.h.
- Place constants on the left of equality comparisons.
[EXP21-C]
"'Yoda conditions' are when you put the condition backwards" --Paul Griffiths/SO
- Do not create a universal character name through concatenation.
[PRE30-C]]
- Avoid side effects in arguments to unsafe macros
[PRE31-C]
- Do not use preprocessor directives in invocations of function-like macros.
[PRE32-C]
- Declare objects with appropriate storage durations.
[DCL30-C]
- Declare identifiers before using them.
[DCL31-C]
- Do not declare an identifier with conflicting linkage classification.
[DCL36-C]
- Do not declare or define a reserved identifier.
[DCL37-C]
- Use the correct syntax when declaring a flexible array member.
[DCL38-C]
- Avoid information leakage in structure padding.
[DCL39-C]
- Do not create incompatible declarations of the same function or object.
[DCL40-C]
- Do not declare variables inside a switch statement before the first case label.
[DCL41-C]
- Do not depend on the order of evaluation for side effects.
[EXP30-C]
- Do not access a volatile object through a nonvolatile reference.
[EXP32-C]
- Do not read uninitialized memory.
[EXP33-C]
- Do not dereference null pointers.
[EXP34-C]
- Do not modify objects with temporary lifetime.
[EXP35-C]
- Do not cast pointers into more strictly aligned pointer types.
[EXP36-C]
- Call functions with the correct number and type of arguments.
[EXP37-C]
- Do not access a variable through a pointer of an incompatible type.
[EXP39-C]
- Do not modify constant objects.
[EXP40-C]
- Do not compare padding data.
[EXP42-C]
- Avoid undefined behavior when using restrict-qualified pointers.
[EXP43-C]
- Do not rely on side effects in operands to sizeof, _Alignof, or _Generic.
[EXP44-C]
- Do not perform assignments in selection statements.
[EXP45-C]
- Ensure that unsigned integer operations do not wrap
[INT30-C]
- Ensure that integer conversions do not result in lost or misinterpreted data
[INT31-C]
- Ensure that operations on signed integers do not result in overflow
[INT32-C]
- Ensure that division and remainder operations do not result in divide-by-zero errors
[INT33-C]
- Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand
[INT34-C]
- Use correct integer precisions
[INT35-C]
- Converting a pointer to integer or integer to pointer
[INT36-C]
- Do not use floating-point variables as loop counters
[FLP30-C]
- Prevent or detect domain and range errors in math functions
[FLP32-C]
- Ensure that floating-point conversions are within range of the new type
[FLP34-C]
- Preserve precision when converting integral values to floating-point type
[FLP36-C]
- Do not form or use out-of-bounds pointers or array subscripts
[ARR30-C]
- Ensure size arguments for variable length arrays are in a valid range
[ARR32-C]
- Do not subtract or compare two pointers that do not refer to the same array
[ARR36-C]
- Do not add or subtract an integer to a pointer to a non-array object
[ARR37-C]
- Guarantee that library functions do not form invalid pointers
[ARR38-C]
- Do not add or subtract a scaled integer to a pointer
[ARR39-C]
- Do not attempt to modify string literals
[STR30-C]
- Guarantee that storage for strings has sufficient space for character data and the null terminator
[STR31-C]
- Do not pass a non-null-terminated character sequence to a library function that expects a string
[STR32-C]
- Cast characters to unsigned char before converting to larger integer sizes
[STR34-C]
- Arguments to character-handling functions must be representable as an unsigned char
[STR37-C]
- Do not confuse narrow and wide character strings and functions
[STR38-C]
- Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure
[ERR30-C]
- Do not rely on indeterminate values of errno
[ERR32-C]
- Detect and handle standard library errors
[ERR33-C]
- Clean up thread-specific storage
[CON30-C]
- Do not destroy a mutex while it is locked
[CON31-C]
- Prevent data races when accessing bit-fields from multiple threads
[CON32-C]
- Avoid race conditions when using library functions
[CON33-C]
- Declare objects shared between threads with appropriate storage durations
[CON34-C]
- Avoid deadlock by locking in a predefined order
[CON35-C]
- Wrap functions that can spuriously wake up in a loop
[CON36-C]
- Do not call signal() in a multithreaded program
[CON37-C]
- Preserve thread safety and liveness when using condition variables
[CON38-C]
- Do not join or detach a thread that was previously joined or detached
[CON39-C]
- Do not refer to an atomic variable twice in an expression
[CON40-C]
- Wrap functions that can fail spuriously in a loop
[CON41-C]
- Do not use the rand() function for generating pseudorandom numbers
[MSC30-C]
- Properly seed pseudorandom number generators
[MSC32-C]
- Do not pass invalid data to the asctime() function
[MSC33-C]
- Ensure that control never reaches the end of a non-void function
[MSC37-C]
- Do not treat a predefined identifier as an object if it might only be implemented as a macro
[MSC38-C]
- Do not call va_arg() on a va_list that has an indeterminate value
[MSC39-C]
- Do not violate constraints
[MSC40-C]
- Use the readlink() function properly
[POS30-C]
- Do not use vfork()
[POS33-C]
- Do not call putenv() with a pointer to an automatic variable as the argument
[POS34-C]
- Avoid race conditions while checking for the existence of a symbolic link
[POS35-C]
- Observe correct revocation order while relinquishing privileges
[POS36-C]
- Ensure that privilege relinquishment is successful
[POS37-C]
- Beware of race conditions when using fork and file descriptors
[POS38-C]
- Use the correct byte ordering when transferring data between systems
[POS39-C]
- Do not use signals to terminate threads
[POS44-C]
- Do not use threads that can be canceled asynchronously
[POS47-C]
- Do not unlock or destroy another POSIX thread's mutex
[POS48-C]
- When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is also accessed
[POS49-C]
- Declare objects shared between POSIX threads with appropriate storage durations
[POS50-C]
- Avoid deadlock with POSIX threads by locking in predefined order
[POS51-C]
- Do not perform operations that can block while holding a POSIX lock
[POS52-C]
- Do not use more than one mutex for concurrent waiting operations on a condition variable
[POS53-C]
- Detect and handle POSIX library errors
[POS54-C]
- Properly pair allocation and deallocation functions
[WIN30-C]
|
|
Guidelines:
- Prefer inline or static functions to function-like macros.
[PRE00-C]
- Use parentheses within macros and around parameter names. Parenthesize all parameter names found in macro definitions.
[PRE01-C]
- Macro replacement lists should be parenthesized to protect any lower-precedence operators from the surrounding expression.
[PRE02-C]
- Prefer type definitions (typedef) to macro definitions (#define) when encoding types.
[PRE03-C]
- Do not reuse a standard header file name.
[PRE04-C]
- Understand macro replacement when concatenating tokens or performing stringification.
[PRE05-C]
- Enclose header files in an inclusion guard.
[PRE06-C]
- Avoid using repeated question marks.
[PRE07-C]
- Guarantee that header file names are unique.
[PRE08-C]
- Do not replace secure functions with deprecated or obsolescent functions.
[PRE09-C]
- Wrap multistatment macros in a do-while loop.
[PRE10-C]
- Wrap multistatment macros in a do-while loop.
[PRE10-C]
- Do not conclude macro definitions with a semicolon.
[PRE11-C]
- Do not define unsafe macros.
[PRE12-C]
- Use the Standard predefined macros to test for versions and features.
[PRE13-C]
- 'const'-qualify immutable objects.
[DCL00-C]
- Do not reuse variable names in subscopes.
[DCL01-C]
- Use visually distinct identifiers.
[DCL02-C]
- Use a static assertion to test the value of a constant expression.
[DCL03-C]
- Do not declare more than one variable per declaration.
[DCL04-C]
- Use typedefs of non-pointer types only.
[DCL05-C]
- Use meaningful symbolic constants to represent literal values in program logic.
[DCL06-C]
- Include the appropriate type information in function declarators.
[DCL07-C]
- Properly encode relationships in constant definitions.
[DCL08-C]
- Declare functions that return an errno error code with a return type of errno_t.
[DCL09-C]
- Maintain the contract between the writer and caller of variadic functions.
[DCL10-C]
- Understand the type issues associated with variadic functions.
[DCL11-C]
- Implement abstract data types using opaque types.
[DCL12-C]
- Declare function parameters tha are pointers to values not changed by the function as 'const'.
[DCL13-C]
- Declare file-scope objects or functions that do not need external linkage as 'static'.
[DCL15-C]
- Use "L," not "l," to indicate a long value.
[DCL16-C]
- Beware of miscompiled volatile-qualified variables.
[DCL17-C]
- Do not begin integer constants with 0 when specifying a decimal value.
[DCL18-C]
- Minimize the scope of variables and functions.
[DCL19-C]
- Explicitly specify void when a function accepts no arguments.
[DCL20-C]
- Understand the storage of compound literals.
[DCL21-C]
- Use volatile for data that cannot be cached.
[DCL22-C]
- Guarantee that mutually visible identifiers are unique.
[DCL23-C]
- Use parentheses for precedence of operation.
[EXP00-C]
- Be aware of the short-circuit behavior of the logical AND and OR operators.
[EXP02-C]
- Do not assume the size of a structure is the sum of the sizes of its members.
[EXP03-C]
- Do not cast away a const qualification.
[EXP05-C]
- Do not diminish the benefits of constants by assuming their values in expressions.
[EXP07-C]
- Ensure pointer arithmetic is used correctly.
[EXP08-C]
- Use sizeof to determine the size of a type or variable.
[EXP09-C]
- Do not depend on the order of evaluation of subexpressions or the order in which side effects take place.
[EXP10-C]
- Do not make assumptions regarding the layout of structures with bit-fields.
[EXP11-C]
- Do not ignore values returned by functions.
[EXP12-C]
- Treat relational and equality operators as if they were nonassociative.
[EXP13-C]
- Beware of integer promotion when performing bitwise operations on integer types smaller than int.
[EXP14-C]
- Do not place a semicolon on the same line as an if, for, or while statement.
[EXP15-C]
- Do not compare function pointers to constant values.
[EXP16-C]
- Do not perform bitwise operations in conditional expressions.
[EXP17-C]
- Use braces for the body of an if, for, or while statement.
[EXP19-C]
- Perform explicit tests to determine success, true and false, and equality.
[EXP20-C]
- Understand the data model used by your implementation(s).
[INT00-C.]
- Use rsize_t or size_t for all integer values representing the size of an object.
[INT01-C.]
- Understand integer conversion rules.
[INT02-C.]
- Enforce limits on integer values originating from tainted sources.
[INT04-C.]
- Do not use input functions to convert character data if they cannot handle all possible inputs.
[INT05-C.]
- Use strtol() or a related function to convert a string token to an integer.
[INT06-C.]
- Use only explicitly signed or unsigned char type for numeric values.
[INT07-C.]
- Verify that all integer values are in range.
[INT08-C.]
- Ensure enumeration constants map to unique values.
[INT09-C.]
- Do not assume a positive remainder when using the % operator.
[INT10-C.]
- Do not make assumptions about the type of a plain int bit-field when used in an expression.
[INT12-C.]
- Use bitwise operators only on unsigned operands.
[INT13-C]
- Avoid performing bitwise and arithmetic operations on the same data.
[INT14-C.]
- Use intmax_t or uintmax_t for formatted IO on programmer-defined integer types.
[INT15-C.]
- Do not make assumptions about representation of signed integers.
[INT16-C.]
- Define integer constants in an implementation-independent manner.
[INT17-C.]
- Evaluate integer expressions in a larger size before comparing or assigning to that size.
[INT18-C.]
- Understand the limitations of floating-point numbers.
[FLP00-C]
- Take care in rearranging floating-point expressions
[FLP01-C]
- Avoid using floating-point numbers when precise computation is needed
[FLP02-C]
- Detect and handle floating-point errors
[FLP03-C]
- Check floating-point inputs for exceptional values
[FLP04-C]
- Don't use denormalized numbers
[ FLP05-C]
- Convert integers to floating point for floating-point operations
[FLP06-C]
- Cast the return value of a function that returns a floating-point type
[FLP07-C]
- Understand how arrays work
[ARR00-C]
- Do not apply the sizeof operator to a pointer when taking the size of an array
[ARR01-C]
- Explicitly specify array bounds, even if implicitly defined by an initializer
[ARR02-C]
- Represent characters using an appropriate type
[STR00-C]
- Adopt and implement a consistent plan for managing strings
[STR01-C]
- Sanitize data passed to complex subsystems
[STR02-C]
- Do not inadvertently truncate a string
[STR03-C]
- Use plain char for characters in the basic character set
[STR04-C]
- Use pointers to const when referring to string literals
[STR05-C]
- Do not assume that strtok() leaves the parse string unchanged
[STR06-C]
- Use the bounds-checking interfaces for remediation of existing string manipulation code
[STR07-C]
- Use managed strings for development of new string manipulation code
[STR08-C]
- Don't assume numeric values for expressions with type plain character
[STR09-C]
- Do not concatenate different type of string literals
[STR10-C]
- Do not specify the bound of a character array initialized with a string literal
[STR11-C]
- Adopt and implement a consistent and comprehensive error-handling policy
[ERR00-C]
- Use ferror() rather than errno to check for FILE stream errors
[ERR01-C]
- Avoid in-band error indicators
[ERR02-C]
- Use runtime-constraint handlers when calling the bounds-checking interfaces
[ERR03-C]
- Choose an appropriate termination strategy
[ERR04-C]
- Application-independent code should provide error detection without dictating error handling
[ERR05-C]
- Understand the termination behavior of assert() and abort()
[ERR00-C]
- Prefer functions that support error checking over equivalent functions that don't
[ERR07-C]
- Functions should validate their parameters
[API00-C]
- Avoid laying out strings in memory directly before sensitive data
[API01-C]
- Functions that read or write to or from an array should take an argument to specify the source or target size
[API02-C]
- Create consistent interfaces and capabilities across related functions
[API03-C]
- Provide a consistent and usable error-checking mechanism
[API04-C]
- Use conformant array parameters
[API05-C]
- Enforce type safety
[API07-C]
- Avoid parameter names in a function prototype
[API08-C]
- Compatible values should have the same type
[API09-C]
- Avoid race conditions with multiple threads
[CON00-C]
- Acquire and release synchronization primitives in the same module, at the same level of abstraction
[CON01-C]
- Do not use volatile as a synchronization primitive
[CON02-C]
- Ensure visibility when accessing shared variables
[CON03-C]
- Join or detach threads even if their exit status is unimportant
[CON04-C]
- Do not perform operations that can block while holding a lock
[CON05-C]
- Ensure that every mutex outlives the data it protects
[CON06-C]
- Ensure that compound operations on shared variables are atomic
[CON07-C]
- Do not assume that a group of calls to independently atomic methods is atomic
[CON08-C]
- Avoid the ABA problem when using lock-free algorithms
[CON09-C]
- Compile cleanly at high warning levels
[MSC00-C]
- Strive for logical completeness
[MSC01-C]
- Use comments consistently and in a readable fashion
[MSC04-C]
- Do not manipulate time_t typed values directly
[MSC05-C]
- Beware of compiler optimizations
[MSC06-C]
- Detect and remove dead code
[MSC07-C]
- Character encoding: Use subset of ASCII for safety
[MSC09-C]
- Character encoding: UTF8-related issues
[MSC10-C]
- Incorporate diagnostic tests using assertions
[MSC11-C]
- Detect and remove code that has no effect
[MSC12-C]
- Detect and remove unused values
[MSC13-C]
- Do not introduce unnecessary platform dependencies
[MSC14-C]
- Do not depend on undefined behavior
[MSC15-C]
- Finish every set of statements associated with a case label with a break statement
[MSC17-C]
- Be careful while handling sensitive data, such as passwords, in program code
[MSC18-C]
- For functions that return an array, prefer returning an empty array over a null value
[MSC19-C]
- Do not use a switch statement to transfer control into a complex block
[MSC20-C]
- Use robust loop termination conditions
[MSC21-C]
- Use the setjmp(), longjmp() facility securely
[MSC22-C]
- Beware of vendor-specific library and language differences
[MSC23-C]
- Do not use deprecated or obsolescent functions
[MSC24-C]
- Check for the existence of links when dealing with files
[POS01-C]
- Follow the principle of least privilege
[ POS02-C]
- Avoid using PTHREAD_MUTEX_NORMAL type mutex locks
[POS04-C]
- Limit access to files by creating a jail
[POS05-C]
- Be specific when dynamically loading libraries
[WIN00-C]
- Do not forcibly terminate execution
[WIN01-C]
- Restrict privileges when spawning child processes
[WIN02-C]
- Understand HANDLE inheritance
[WIN03-C]
- Consider encrypting function pointers
[WIN04-C]
|
|
|