Rule 21.6 and snprintf()

[dejanpan]

We are using snprintf() function (https://linux.die.net/man/3/snprintf) in a framework that lets you program autonomous driving cars (our product).
The function is currently being used only for logging of console data on the secondary, non-real time computer.


However, both PCLint and Coverity static code analysis tools mark it as non-compliant:

Rule 21.6
The Standard Library input/output functions shall not be used
C90 [Unspecified 2–5, 16–18; Undefined 77–89; Implementation 53–68]
C99 [Unspecified 3–6, 34–37; Undefined 138–166, 186; Implementation J.3.12(14–32)] [Koenig 74]

Category: Required
Analysis: Decidable, Single Translation Unit
Applies to: C90, C99

Amplification
This rule applies to the functions that are specified as being provided by <stdio.h> and, in C99,
their wide-character equivalents specified in Sections 7.24.2 and 7.24.3 of the C99 Standard as being
provided by <wchar.h>.

None of these identifiers shall be used and no macro with one of these names shall be expanded.

Rationale
Streams and file I/O have unspecified, undefined and implementation-defined behaviours associated
with them.

See also
Rule 22.1, Rule 22.3, Rule 22.4, Rule 22.5, Rule 22. 6



We have a following rebuttal:
The problem is that if the source and destination string buffers in a snprintf() call are the same, the behavior is undefined.

These buffers are passed as char pointers to

Code: Select all

 snprintf()

. Checking that two pointer variables can never be the same in a program (in all possible executions) is called alias analysis. It is a static code analysis that static code analysis tools can do, but it usually is imprecise (can have false positives). So it is easier for them to ban the use of

Code: Select all

snprintf()

altogether.

We claim that we can use snprintf() ONLY IF we ALWAYS check that the source and destination buffers are NOT the same before calling snprintf().

Code: Select all

if source != destination:
  snprintf(...)
else:
  raise error

Pardon pseudo code but if I use actual C code it won't let me post this question.

Additionally, based on the rule's Rationale text it could be argued that the snprintf() call is OK since it's not a stream or file output call.

I would love to hear some thoughts from MISRA members.

[dg1980]

There is no source buffer in the signature of snprintf.
You should carefully study Annex J.2 items 138-166 and 186 (as referenced in the rule) in ISO 9899 (C99 language specification) and you will realize that snprintf just does not belong in production level code.
At least i can't imagine any valid deviation permit.
Are you able to implement something like the trick below (_DEBUG not active for static analysis / release build)?

Code: Select all

#ifdef _DEBUG
#define LOG_CONSOLE(str, size, format, ...) snprintf(str, size, format, __VA_ARGS)
#else
#define LOG_CONSOLE(str, size, format, ...) (void)0
#endif

[misra-c]

As mentioned by dg1980 there are a range of undefined behaviours associated with snprintf.
Using snprintf would require a deviation that addresses all those issues.

[dejanpan]

Dear misra-c and dg1980, thanks a lot for your feedback.

I miswrote "source buffer", I meant the format argument.

Further I would like to ask about "Annex J.2 items 138-166 and 186". Is the bullet point list from here: http://www.open-std.org/jtc1/sc22/wg14/ ... /n1256.pdf correctly enumerated in here https://wiki.sei.cmu.edu/confluence/dis ... d+Behavior?

Or do you guys really count bullet points to determine which item is e.g. 138?

[misra-c]

Yes, we have enumerated the bullet point list from the original published version of the C99 Standard, which does not include subsequent Technical Corrigenda.

This is not the same as the draft version of C99 at
http://www.open-std.org/jtc1/sc22/wg14/ ... /n1256.pdf
nor the C11 list on the SEI CERT C page at
https://wiki.sei.cmu.edu/confluence/dis ... d+Behavior