This list was submitted to ISO/IEC Joint Working Group 3 by FDA for consideration in the development of the second edition of IEC 62304 The following is list detectable flaws which a manufacturer could be expected to identify and remove. These flaws may once have been grouped together as ‘memory corruption’ or as ‘runtime failures’ which was not helpful in avoiding or debugging them. Use of static analysis to search for and find these flaws can eliminate a very large proportion of these runtime errors at low cost during development. Buffer Overrun A read or write to data after the end of a buffer. http://en.wikipedia.org/wiki/Buffer_overflow Writing a piece of data to a specific location designated as only being reserved for a shorter length of that data. A variant of run-time data corruption.
Buffer Underrun A read or write to data before the beginning of a buffer. http://en.wikipedia.org/wiki/Buffer_underrun Reading a piece of data from just before a specific location designated as only being reserved. A variant of run-time data corruption.
Type Overrun An overrun of a boundary within an aggregate type. Writing a piece of data of a specific (usually computed) byte length to a location designated as only being reserved for a shorter length. A variant of run-time data corruption. Type Underrun An underrun of a boundary within an aggregate type. Reading a piece of data of a specific (usually computed) byte length to a location designated as only being reserved for a shorter length. A variant of run-time data corruption. Null Pointer Dereference An attempt to dereference a pointer to the address 0. http://www.owasp.org/index.php/Null-pointer_dereference
Divide By Zero An attempt to perform integer division where the denominator is 0. Double Free Two calls to free on the same object. Freeing up the same piece of memory twice (e.g. in widely different parts of the code base) can cause runtime memory corruption. http://www.owasp.org/index.php/Double_Free
Use After Free A dereference of a pointer to a freed object. It may have been written over since you last thought you know what was there. http://cwe.mitre.org/data/definitions/416.html Free Non-Heap Variable An attempt to free an object which was not allocated on the heap, such as a stack-allocated variable. This is a memory corruption issue caused by freeing memory manually instead of allowing the heap manager to free it. Found mostly in embedded systems where there is no RTOS.
Uninitialized Variable An attempt to use the value of a variable that has not been initialized. You don’t know what’s there but you think you do! http://en.wikipedia.org/wiki/Uninitialized_variable
Leak Dynamically allocated storage has not been freed. Available memory progressively diminishes with time until system crashes due to insufficient memory. http://en.wikipedia.org/wiki/Memory_leak
Dangerous Function Cast A function pointer is cast to another function pointer having an incompatible signature or return type. Potentially point to the wrong part of memory at runtime for next op. http://www.informit.com/guides/content.aspx?g=cplusplus&seqNum=285
Delete[] Object Created by malloc An attempt to release memory obtained with malloc using delete[] http://www.codeguru.com/cpp/tic/tic0135.shtml There is a potential for double deleting memory
Delete[] Object Created by new An attempt to release memory obtained with new using delete[] http://www.codeguru.com/cpp/tic/tic0135.shtml There is a potential for double deleting memory
Delete Object Created by malloc An attempt to release memory obtained with malloc using delete http://www.informit.com/guides/content.aspx?g=cplusplus&seqNum=33 Potential undefined operation Delete Object Created by new[] An attempt to release memory obtained with new[] using delete http://www.informit.com/guides/content.aspx?g=cplusplus&seqNum=33 Potential undefined operation
Free Object Created by new[] An attempt to release memory obtained with new[] using free http://www.informit.com/guides/content.aspx?g=cplusplus&seqNum=33 Potential undefined operation
Free Object Created by new An attempt to release memory obtained with new using free http://www.informit.com/guides/content.aspx?g=cplusplus&seqNum=33 Potential undefined operation
Missing Return Statement At least one path through a non-void return-type function does not contain a return statement. Unknown value of the function if it is subsequently used Redundant Condition Some condition is either always or never satisfied.
A computed condition value tested prior to a branch is never able to execute the other path. Runtime dead code In DO-178B, a development standard for flight software, the riskiest code is required to be tested with 100 percent modified condition/decision coverage (MCDC). This means that a test suite must be chosen such that all sub-expressions in all conditionals are evaluated to both true and false. This means that functional testing might create the illusion of passing. Return Pointer To Local A procedure returns a pointer to one of its local variables. Local variables vanish when the procedure is complete so the pointer could be null or worse, something! Return Pointer To Freed A procedure returns a pointer to memory that has already been freed. A wild pointer http://en.wikipedia.org/wiki/Wild_pointer Unused Value A variable is assigned a value, but that value is never subsequently used on any execution path. A serious logic fault showing poor implementation but which might allow or retain unknowable data in the value. https://www.securecoding.cert.org/confluence/display/seccode/MSC13C.+Detect+and+remove+unused+values Useless Assignment Some assignment always assigns the value that the variable being modified already has. Related to unused value but which confuses many debuggers Varargs Function Cast A varargs function pointer is cast to another function pointer having different parameters or return type. Completely legal and even useful but potentially type unsafe at runtime. Ignored Return Value The value returned by some function has not been used. Which means it was not checked as successful. http://www.owasp.org/index.php/Ignored_function_return_value
Free Null Pointer An attempt to free a null pointer. http://www.manticmoo.com/articles/jeff/programming/c/free-with-null-pointer.php a potentially dangerous but legal technique commonly once in embedded programming to help with garbage collection. Unreachable Code Some of the code in a function is unreachable from the function entry point under any circumstances. Related to redundant condition code but many experienced programmers know that sooner or later it will be executed! http://en.wikipedia.org/wiki/Unreachable_code
Null Test After Dereference A pointer is NULL-checked when it has already been dereferenced. The test may drive a branch condition in one direction Format String A function that should have a format string passed in a particular argument position has been passed a string that either is not a format string or is from an untrusted source. (Potential security vulnerability.) Double Close
An attempt to close a file descriptor or file pointer twice. TOCTTOU Vulnerability A time-of-check-to-time-of-use race condition that can create a security vulnerability. Double Lock An attempt to lock a mutex twice. Double Unlock An attempt to unlock a mutex twice. Try-lock that will never succeed An attempt to lock a mutex that cannot possibly succeed. Misuse of Memory Allocation Incorrect use of memory allocators. Misuse of Memory Copying Incorrect use of copying functions. Misuse of Libraries Misuse of standard library functions.