This optional extension to the C language limits the potential results of executing some forms of undefined behavior, which improves the effectiveness of static analysis of such programs. Analyzability is only guaranteed to be enabled if thepredefined macro constant__STDC_ANALYZABLE__ is defined by the compiler.

If the compiler supports analyzability, any language or library construct whose behavior is undefined is further classified betweencritical andbounded undefined behavior, and the behavior of all bounded UB cases is limited as specified below.

[edit]Critical undefined behavior

Critical UB is undefined behavior that might perform a memory write or a volatile memory read out of bounds of any object. A program that has critical undefined behavior may be susceptible to security exploits.

Only the following undefined behaviors are critical:

• access to an object outside of itslifetime (e.g. through a dangling pointer)
• write to an object whose declarations are notcompatible
• function call through a function pointer whose type is notcompatible with the type of the function it points to
• lvalue expression is evaluated, but does not designate an object
• attempted modification of astring literal
• dereferencing an invalid (null, indeterminate, etc) orpast-the-end pointer
• modification of aconst object through a non-const pointer
• call to a standard library function or macro with an invalid argument
• call to a variadic standard library function with unexpected argument type (e.g. call toprintf with an argument of the type that doesn't match its conversion specifier)
• longjmp where there is nosetjmp up the calling scope, across threads, or from within the scope of a VM type.
• any use of the pointer that was deallocated byfree orrealloc
• anystring orwide string library function accesses an array out of bounds

[edit]Bounded undefined behavior

Bounded UB is undefined behavior that cannot perform an illegal memory write, although it may trap and may produce or store indeterminate values.

• All undefined behavior not listed as critical is bounded, including

• multithreaded data races
• use of aindeterminate values with automatic storage duration
• strict aliasing violations
• misaligned object access
• signed integer overflow
• unsequenced side-effects modify the same scalar or modify and read the same scalar
• floating-to-integer or pointer-to-integerconversion overflow
• bitwise shift by a negative or too large bit count
• integer division by zero
• use of a void expression
• directassignment ormemcpy of inexactly-overlapped objects
• restrict violations
• etc.. ALL undefined behavior that's not in the critical list.

[edit]Notes

Bounded undefined behavior disables certain optimizations: compilation with analyzability enabled preserves source-code causality, whichmay be violated by undefined behavior otherwise.

Analyzability extension permits, as a form of implementation-defined behavior, for theruntime constraint handler to be invoked when a trap occurs.

[edit]References

• In other languages

• العربية
• Česky
• Deutsch
• Español
• Français
• Italiano
• 日本語
• 한국어
• Polski
• Português
• Русский
• Türkçe
• 中文