CERT C: Rec. DCL10-C

Maintain the contract between the writer and caller of variadic functions

expand all in page

Description

Rule Definition

Maintain the contract between the writer and caller of variadic functions.¹

Polyspace Implementation

The rule checker checks for Format string specifiers and arguments mismatch.

Examples

expand all

Format string specifiers and arguments mismatch

Issue

Format string specifiers and arguments mismatch occurs when the format specifiers in the formatted output functions such as printf do not match their corresponding arguments. For example, an argument of type unsigned long must have a format specification of %lu.

Risk

Mismatch between format specifiers and the corresponding arguments result in undefined behavior.

Fix

Make sure that the format specifiers match the corresponding arguments. For instance, in this example, the %d specifier does not match the string argument message and the %s specifier does not match the integer argument err_number.

  const char *message = "License not available";
  int err_number = -4;
  printf("Error: %d (error type %s)\n", message, err_number);

Switching the two format specifiers fixes the issue. See the specifications for the printf function for more information about format specifiers.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

Address Results in Polyspace User Interface Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.

Example - Printing a Float

#include <stdio.h>

void string_format(void) {

    unsigned long fst = 1;

    printf("%d\n", fst); //Noncompliant
}

In the printf statement, the format specifier, %d, does not match the data type of fst.

Correction — Use an Unsigned Long Format Specifier

One possible correction is to use the %lu format specifier. This specifier matches the unsigned integer type and long size of fst.

#include <stdio.h>

void string_format(void) {

    unsigned long fst = 1;

    printf("%lu\n", fst);
}

Correction — Use an Integer Argument

One possible correction is to change the argument to match the format specifier. Convert fst to an integer to match the format specifier and print the value 1.

#include <stdio.h>

void string_format(void) {

    unsigned long fst = 1;

    printf("%d\n", (int)fst);
}

Check Information

Group: Rec. 02. Declarations and Initialization (DCL)

Version History

Introduced in R2019a

¹ This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.