Contenu principal

CERT C: Rec. EXP11-C

Do not make assumptions regarding the layout of structures with bit-fields

Since R2024b

Description

Rule Definition

Do not make assumptions regarding the layout of structures with bit-fields.1

Polyspace Implementation

The rule checker checks for Bit field accessed using pointer.

Examples

expand all

Issue

This issue occurs when:

  • You take the address of a structure whose members are all bit fields.

  • You convert the address to a pointer to an integral type.

  • You use the pointer to access members of the struct.

In this code, all the members of the structure var are bit fields. The address of var is taken and then converted to an unsigned char pointer ptr. Using ptr to increment the members of var is a violation of this rule.

struct myBitField {
  unsigned int field1 : 8;
  unsigned int field2 : 8;
  unsigned int field3 : 8;
  unsigned int field4 : 8;
}; 
 
void foo() {
  struct myBitField var;
  unsigned char *ptr;
 //...
  ptr = (unsigned char *)&var;
  (*ptr)++; // Noncompliant
}

Risk

The representation of bit field structures in memory is not specified by the C standard and can vary depending on implementation. Accessing the members of a bit field structure by using pointers requires making assumptions about how the bit fields are arranged in memory, resulting in nonportable code. For example, in the preceding code, the operation (*ptr)++ can increment either var.field1 or var.field4, depending on the compiler used to compile the code.

Fix

To fix this violation, access the bit fields directly instead of by using pointers.

Example — Do Not Assume Memory Representation of Bit Fields

In this example, the behavior of the code depends on how the bit fields in myBitField are stored in memory. If members of bit fields are stored in a single byte from left to right, the operation (*ptr)++ increments var.field2 by one. But the bit fields can be stored in memory differently and this code can therefore behave differently:

  • If each bit field is stored in a single byte from right to left, the operation (*ptr)++ increments var.field1.

  • If bit fields are stored across multiple bytes, then the operation (*ptr)++ increments var.field2 by 4.

This code is not portable because it relies on a specific internal memory representation of bitfield structures. Polyspace® reports a violation.

struct myBitField {
  unsigned int field1 : 6;
  unsigned int field2 : 4;

}; 
 
void foo() {
  struct myBitField var;
  unsigned char *ptr;
 //...
  ptr = (unsigned char *)&var;
  ptr++;    // Now pointing to the next byte
  (*ptr)++; // Noncompliant
}

Correction — Access Bitfields Directly

To fix the violation, specify which bitfield you want to increment directly. Avoid using pointers to access the bitfields.

struct myBitField {
  unsigned int field1 : 6;
  unsigned int field2 : 4;

}; 
 
void foo() {
  struct myBitField var;
  unsigned char *ptr;
 //...
  var.field1++; // Compliant
}

Check Information

Group: Rec. 03. Expressions (EXP)

Version History

Introduced in R2024b


1 This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.