No Use of "others" in Case Constructs (RPP01)
Level \(\rightarrow\) Required
- Category
- Safety:
\(\checkmark\)
- Cyber:
\(\checkmark\)
- Goal
- Maintainability:
\(\checkmark\)
- Reliability:
\(\checkmark\)
- Portability:
\(\checkmark\)
- Performance:
- Security:
Remediation \(\rightarrow\) Low
Verification Method \(\rightarrow\) GNATcheck rule:
OTHERS_In_CASE_Statements
Reference
[SEI-C] MSC01-C
Description
Case statement alternatives and case-expressions must not include use of the
others
discrete choice option. This rule prevents accidental coverage
of a choice added after the initial case statement is written, when an explicit
handler was intended for the addition.
Note that this is opposite to typical C guidelines such as [SEI-C] MSC01-C.
The reason is that in C, the default
alternative plays the role of
defensive
code to mitigate the switch statement's non-exhaustivity. In Ada, the
case
construct is exhaustive:
the compiler statically verifies that for every possible value of the
case
expression there is a branch alternative, and there is also
a dynamic check against invalid values which serves as implicit defensive code.
As a result, Ada's others
alternative doesn't play C's defensive code
role and therefore a stronger guideline can be adopted.
Applicable Vulnerability within ISO TR 24772-2
6.27 Switch statements and static analysis [CLL]
Applicable Common Weakness Enumeration
Noncompliant Code Example
case Digit_T (C) is
when '0' | '9' =>
C := Character'succ (C);
when others =>
C := Character'pred (C);
end case;
Compliant Code Example
case Digit_T (C) is
when '0' | '9' =>
C := Character'succ (C);
when '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' =>
C := Character'pred (C);
end case;
Notes
N/A