[CERT C Review Batch 5/5] Review proposed Rust categorization #431
Description
Context
Thanks for taking a look at this batch.
This issue is part of the follow-on work from #336, where Félix finished a first pass mapping CERT C rules into Rust-oriented categories.
The goal here is to get a focused review on one slice of the 103 rules without making anyone wade through the whole set at once.
If you notice something that cuts across batches, or you want to leave a more global comment, please put that on #336.
Reviewer note
Please feel free to leave working notes here as you go.
When you feel done with this batch, please leave a short final summary on #336 and link back to this issue so the parent thread stays the main record of the outcome.
Review goal
For each rule below, please check whether the current proposed bucket still feels right for Rust.
If you disagree, are unsure, or think the rule should be merged with another concern, that is useful feedback too. A short rationale is enough.
Current buckets:
- Does not map to Rust
- Definitely maps to Rust
- Maybe
- Maps directly to Unsafe Rust
Rules in this batch
Please do not feel boxed in by the current buckets. If one of these looks miscategorized, that is exactly the kind of feedback we want.
| ID | CERT C rule | Current proposed bucket | Notes |
|---|---|---|---|
| INT35 | Use correct integer precisions | Does not map to Rust | |
| STR37 | Arguments to character-handling functions must be representable as an unsigned char | Does not map to Rust | |
| STR38 | Do not confuse narrow and wide character strings and functions | Does not map to Rust | |
| MEM33 | Allocate and copy structures containing a flexible array member dynamically | Does not map to Rust | |
| FIO47 | Use valid format strings | Does not map to Rust | |
| SIG34 | Do not call signal() from within interruptible signal handlers | Does not map to Rust | |
| SIG35 | Do not return from a computational exception signal handler | Does not map to Rust | |
| CON31 | Do not destroy a mutex while it is locked | Does not map to Rust | |
| MSC33 | Do not pass invalid data to the asctime() function | Does not map to Rust | |
| MSC38 | Do not treat a predefined identifier as an object if it might only be implemented as a macro | Does not map to Rust | |
| MSC39 | Do not call va_arg() on a va_list that has an indeterminate value | Does not map to Rust | |
| MSC40 | Do not violate constraints | Does not map to Rust | |
| FLP34 | Ensure that floating-point conversions are within range of the new type | Definitely maps to Rust | |
| FLP36 | Preserve precision when converting integral values to floating-point type | Definitely maps to Rust | |
| FIO42 | Close files when they are no longer needed | Definitely maps to Rust | |
| CON38 | Preserve thread safety and liveness when using condition variables | Definitely maps to Rust | Higher-policy discussion expected |
| MSC32 | Properly seed pseudorandom number generators | Definitely maps to Rust | |
| MEM34 | Only free memory allocated dynamically | Maybe | Candidate to subsume into broader unsafe API safety-contract guidance |
| CON35 | Avoid deadlock by locking in a predefined order | Maybe | |
| EXP36 | Do not cast pointers into more strictly aligned pointer types | Maps directly to Unsafe Rust | |
| MEM35 | Allocate sufficient memory for an object | Maps directly to Unsafe Rust |
What would help
- Each rule is either confirmed, challenged, or marked as needing more discussion.
- Any merged rules or overlapping concerns are called out explicitly.
- Any rule that looks like a good follow-up coding guideline issue is noted.
- A short summary is posted on #336 with a link back to this issue.
After opening this issue
Post this comment to request a reviewer from the Producer queue:
@guidelines-bot /r? producers