程序员的过错

程序员犯错的机会很多,从简单的错误拼写变量名到对复杂算法的误解.编程语言自身的特点对这种情况有一定的责任. 首先语言本身的风格与表达方式能对程序员起到帮助的同时也会引起一些理解阻碍.其次语言本身会导致错误拼写更容易发生.最后编程语言本身并非能完全侦测到这种错误.

 

由于C语言的风格与表达方式较为自由, 程序员可以设计出结构清晰,表达生动的代码, 也可以写出晦涩难懂的代码. 如果将功能安全作为重要的设计目标,
后者显然是不能接受的风格.

C语言的语法使得程序员能够写出合乎规则但是完全与设计目标背道而驰的代码. 比如:

if(a==1)

...

 

if(a=1)

...

又比如:

if(bFlag)

      doSomeThing();

 

if(bFlag);

      doSomeThing();

即是语法灵活所导致的经常性的编程错误.

C语言的哲学在于:程序员都是聪明的,能够明白自己在做什么. 所以语言本身侦测错误的能力较弱. 比较突出的一点是C语言在类型检测上基本上不做任何努力. 比如将浮点数赋值给整型变量. 大多数此类错误会被语言使用强制转换的手段隐藏. 如果给C编译器一个方形的插件和一个圆形过孔, 它也不会抱怨,只会默默地使之彼此兼容!

程序员对语言的误解

程序员会对语言本身的一些特点发生误解, 而C语言本身的特点导致非常容易被误解. 被误解的高发区之一就是运算符的优先级. 规则上定义得无可挑剔, 但是又非常复杂. 因此程序员经常会以自己理解的方式来假定运算优先级.
比如:

#define TEST_MACRO(a,b) a * b

 

Result
= TEST_MACRO(3+2, 1); 

编译器不以程序员预期的方式工作

如果语言的某特性并未完全定义,或者有歧义. 那么程序员与编译器理解的方式很可能无法达成一致.

此类情况有很多,而且编译器在此种情况下的表现也非常多样化. 有时同种编译器在处理同种情况, 仅仅因为上下文的变化,
而得出不同的结果. 此类特性包括但不限于以下所列举:

本来想把此类情况贴在这里, 但是列表太长, 影响阅读, 故此放在文末. 另外可以参考ISO C标准的原文.

编译器/连接器的过错

编译器与其配套的连接器等等也是软件写就的工具, 也有着所有软件产品不可避免的缺陷可能. 具体表现上就是其有可能在解释程序员的代码时输出错误结果. 因为某些C语言的特性本身较为难以理解, 故此编译器的作者在实现编译器时也就难以保证不出错. 更有甚者,由于观点上不同, 一些编译器的作者故意选择与语言标准不同的做法.

运行时错误

代码写的没问题, 但是在运行时因为输入了非意料中的数据而导致出错.
此种情况下程序员应该考虑运行时错误检查. C语言本身提供的运行时检查功能非常有限, 这也主要是从性能角度考虑的.编译器本身一般不会为常见的运算异常提供异常处理: 除以0, 溢出, 指针地址范围有效性以及世人皆知的数组下标越界等等.

总结

正因为以上所述的出错原因, 所以在使用C语言开发功能安全应用时, 必须采用严格/自动化的规则检测. 但是相比类似的语言来说,C语言在开发功能安全应用时依旧是较好的选择, 原因有:

1.      
C语言经过多年的迭代, 已经趋于成熟,标准化高;

2.      
性能上除了手工优化的汇编代码, C语言没有其他对手. 但是除了绝对的性能之外,汇编语言在其他方面都不如C语言, 已经不是开发功能安全应用的适用编程语言了. 如果一定要使用汇编语言, 必须施加比C语言更加严格的检查手段.

3.      
C语言因为应用广泛,即使有着本身的各种缺陷, 但是这些缺陷已经逐渐被人们所熟知.市场上有很多软件工具产品可以提供尽可能的避免这些缺陷的手段.

 

附录:C语言标准中的移植性问题列表, 也就是容易引起误解与混淆的特性与规范.但是因为此列表较长,此处仅仅列出一部分, 完整部分请参阅C语言的ISO标准.

Annex J

(informative)

Portability issues

1 This annex collects some information
about portability that appears in this International

Standard.

J.1 Unspecified behavior

The following are unspecified:

—
The manner and timing of static initialization (5.1.2).

—
The termination status returned to the hosted environment if the return type of
main

is not compatible with int (5.1.2.2.3).

—
The values of objects that are neither lock-free atomic objects nor of type volatile

sig_atomic_t and the state of the floating-point
environment, when the

processing
of the abstract machine is interrupted by receipt of a signal (5.1.2.3).

—
The behavior of the display device if a printing character is written when the
active

position
is at the final position of a line (5.2.2).

—
The behavior of the display device if a backspace character is written when the
active

position
is at the initial position of a line (5.2.2).

—
The behavior of the display device if a horizontal tab character is written
when the

active
position is at or past the last defined horizontal tabulation position (5.2.2).

—
The behavior of the display device if a vertical tab character is written when
the active

position
is at or past the last defined vertical tabulation position (5.2.2).

—
How an extended source character that does not correspond to a universal
character

name
counts toward the significant initial characters in an external identifier
(5.2.4.1).

—
Many aspects of the representations of types (6.2.6).

—
The value of padding bytes when storing values in structures or unions
(6.2.6.1).

—
The values of bytes that correspond to union members other than the one last
stored

into
(6.2.6.1).

—
The representation used when storing a value in an object that has more than
one

object
representation for that value (6.2.6.1).

—
The values of any padding bits in integer representations (6.2.6.2).

—
Whether certain operators can generate negative zeros and whether a negative
zero

becomes
a normal zero when stored in an object (6.2.6.2) The following
are unspecified:

—
The manner and timing of static initialization (5.1.2).

—
The termination status returned to the hosted environment if the return type of
main

is not compatible with int (5.1.2.2.3).

—
The values of objects that are neither lock-free atomic objects nor of type volatile

sig_atomic_t and the state of the floating-point environment,
when the

processing
of the abstract machine is interrupted by receipt of a signal (5.1.2.3).

—
The behavior of the display device if a printing character is written when the
active

position
is at the final position of a line (5.2.2).

—
The behavior of the display device if a backspace character is written when the
active

position
is at the initial position of a line (5.2.2).

—
The behavior of the display device if a horizontal tab character is written
when the

active
position is at or past the last defined horizontal tabulation position (5.2.2).

—
The behavior of the display device if a vertical tab character is written when
the active

position
is at or past the last defined vertical tabulation position (5.2.2).

—
How an extended source character that does not correspond to a universal
character

name
counts toward the significant initial characters in an external identifier
(5.2.4.1).

—
Many aspects of the representations of types (6.2.6).

—
The value of padding bytes when storing values in structures or unions
(6.2.6.1).

—
The values of bytes that correspond to union members other than the one last
stored

into
(6.2.6.1).

—
The representation used when storing a value in an object that has more than
one

object
representation for that value (6.2.6.1).

—
The values of any padding bits in integer representations (6.2.6.2).

—
Whether certain operators can generate negative zeros and whether a negative
zero

becomes
a normal zero when stored in an object (6.2.6.2).

— Whether two string literals result in distinct arrays
(6.4.5).

—
The order in which subexpressions are evaluated and the order in which side
effects

take
place, except as specified for the function-call (), &&, ||, ? :, and comma

operators
(6.5).

—
The order in which the function designator, arguments, and subexpressions
within the

arguments
are evaluated in a function call (6.5.2.2).

—
The order of side effects among compound literal initialization list
expressions

(6.5.2.5).

—
The order in which the operands of an assignment operator are evaluated
(6.5.16).

—
The alignment of the addressable storage unit allocated to hold a bit-field
(6.7.2.1).

—
Whether a call to an inline function uses the inline definition or the external
definition

of
the function (6.7.4).

—
Whether or not a size expression is evaluated when it is part of the operand of
a

sizeof
operator and changing the value of the size expression would not affect
the

result
of the operator (6.7.6.2).

—
The order in which any side effects occur among the initialization list
expressions in

an
initializer (6.7.9).

—
The layout of storage for function parameters (6.9.1).

—
When a fully expanded macro replacement list contains a function-like macro
name

as
its last preprocessing token and the next preprocessing token from the source
file is

a
(, and the fully expanded replacement of that macro ends with
the name of the first

macro
and the next preprocessing token from the source file is again a (, whether
that

is
considered a nested replacement (6.10.3).

—
The order in which # and ## operations
are evaluated during macro substitution

(6.10.3.2,
6.10.3.3).

—
The state of the floating-point status flags when execution passes from a part
of the

program
translated with FENV_ACCESS ‘‘off’’ to a part translated with

FENV_ACCESS
‘‘on’’ (7.6.1).

—
The order in which feraiseexcept raises
floating-point exceptions, except as

stated
in F.8.6 (7.6.2.3).

—
Whether math_errhandling is a macro or an identifier with
external linkage

(7.12).

—
The results of the frexp functions
when the specified value is not a floating-point

number
(7.12.6.4).

— The numeric result of the ilogb functions
when the correct value is outside the

range
of the return type (7.12.6.5, F.10.3.5).

—
The result of rounding when the value is out of range (7.12.9.5, 7.12.9.7,
F.10.6.5).

—
The value stored by the remquo functions in
the object pointed to by quo when y is

zero
(7.12.10.3).

—
Whether a comparison macro argument that is represented in a format wider than
its

semantic
type is converted to the semantic type (7.12.14).

—
Whether setjmp is a macro or an identifier with
external linkage (7.13).

—
Whether va_copy and va_end are macros or
identifiers with external linkage

(7.16.1).

—
The hexadecimal digit before the decimal point when a non-normalized
floating-point

number
is printed with an a or A conversion
specifier (7.21.6.1, 7.29.2.1).

—
The value of the file position indicator after a successful call to the ungetc function

for
a text stream, or the ungetwc function for
any stream, until all pushed-back

characters
are read or discarded (7.21.7.10, 7.29.3.10).

—
The details of the value stored by the fgetpos function
(7.21.9.1).

—
The details of the value returned by the ftell function for
a text stream (7.21.9.4).

—
Whether the strtod, strtof, strtold, wcstod, wcstof, and wcstold

functions convert a minus-signed sequence to a negative number directly
or by

negating
the value resulting from converting the corresponding unsigned sequence

(7.22.1.3,
7.29.4.1.1).

— The order and contiguity of storage allocated by successive
calls to the calloc,

malloc, and realloc functions
(7.22.3).

—
The amount of storage allocated by a successful call to the calloc, malloc, or

realloc
function when 0 bytes was requested (7.22.3).

—
Whether a call to the atexit function that
does not happen before the exit

function is called will succeed (7.22.4.2).

—
Whether a call to the at_quick_exit function that
does not happen before the

quick_exit
function is called will succeed (7.22.4.3).

—
Which of two elements that compare as equal is matched by the bsearch function

(7.22.5.1).

—
The order of two elements that compare as equal in an array sorted by the qsort

function (7.22.5.2).

— The encoding of the calendar time returned by the time function
(7.27.2.4).

—
The characters stored by the strftime or wcsftime function if
any of the time

values
being converted is outside the normal range (7.27.3.5, 7.29.5.1).

—
Whether an encoding error occurs if a wchar_t value that
does not correspond to a

member
of the extended character set appears in the format string for a function in

7.29.2
or 7.29.5 and the specified semantics do not require that value to be processed

by
wcrtomb (7.29.1).

—
The conversion state after an encoding error occurs (7.29.6.3.2, 7.29.6.3.3,
7.29.6.4.1,

7.29.6.4.2,

—
The resulting value when the ‘‘invalid’’ floating-point exception is raised
during

IEC
60559 floating to integer conversion (F.4).

—
Whether conversion of non-integer IEC 60559 floating values to integer raises
the

‘‘inexact’’
floating-point exception (F.4).

—
Whether or when library functions in <math.h> raise the
‘‘inexact’’ floating-point

exception
in an IEC 60559 conformant implementation (F.10).

—
Whether or when library functions in <math.h> raise an
undeserved ‘‘underflow’’

floating-point
exception in an IEC 60559 conformant implementation (F.10).

—
The exponent value stored by frexp for a NaN or
infinity (F.10.3.4).

—
The numeric result returned by the lrint, llrint, lround, and llround

functions if the rounded value is outside the range of the return type
(F.10.6.5,

F.10.6.7).

— The sign of one part of the complex result of
several math functions for certain

special
cases in IEC 60559 compatible implementations (G.6.1.1, G.6.2.2, G.6.2.3,

G.6.2.4,
G.6.2.5, G.6.2.6, G.6.3.1, G.6.4.2).

J.2
Undefined behavior

1 The behavior is undefined in the following circumstances:

—
A ‘‘shall’’ or ‘‘shall not’’ requirement that appears outside of a constraint
is violated

(clause
4).

—
A nonempty source file does not end in a new-line character which is not
immediately

preceded
by a backslash character or ends in a partial preprocessing token or

comment
(5.1.1.2).

—
Token concatenation produces a character sequence matching the syntax of a

universal
character name (5.1.1.2).

—
A program in a hosted environment does not define a function named main using one

of
the specified forms (5.1.2.2.1).

— The execution of a program contains a data race (5.1.2.4).

—
A character not in the basic source character set is encountered in a source
file, except

in
an identifier, a character constant, a string literal, a header name, a
comment, or a

preprocessing
token that is never converted to a token (5.2.1).

—
An identifier, comment, string literal, character constant, or header name
contains an

invalid
multibyte character or does not begin and end in the initial shift state
(5.2.1.2).

—
The same identifier has both internal and external linkage in the same
translation unit

(6.2.2).

—
An object is referred to outside of its lifetime (6.2.4).

—
The value of a pointer to an object whose lifetime has ended is used (6.2.4).

—
The value of an object with automatic storage duration is used while it is

indeterminate
(6.2.4, 6.7.9, 6.8).

—
A trap representation is read by an lvalue expression that does not have
character type

(6.2.6.1).

—
A trap representation is produced by a side effect that modifies any part of
the object

using
an lvalue expression that does not have character type (6.2.6.1).

—
The operands to certain operators are such that they could produce a negative
zero

result,
but the implementation does not support negative zeros (6.2.6.2).

—
Two declarations of the same object or function specify types that are not
compatible

(6.2.7).

— A program requires the formation of a composite type from a
variable length array

type
whose size is specified by an expression that is not evaluated (6.2.7).

—
Conversion to or from an integer type produces a value outside the range that
can be

represented
(6.3.1.4).

—
Demotion of one real floating type to another produces a value outside the
range that

can
be represented (6.3.1.5).

—
An lvalue does not designate an object when evaluated (6.3.2.1).

—
A non-array lvalue with an incomplete type is used in a context that requires
the value

of
the designated object (6.3.2.1).

—
An lvalue designating an object of automatic storage duration that could have
been

declared
with the register storage class is used in a context
that requires the value

of
the designated object, but the object is uninitialized. (6.3.2.1).

—
An lvalue having array type is converted to a pointer to the initial element of
the

array,
and the array object has register storage class (6.3.2.1).

— An attempt is made to use the value of a void expression,
or an implicit or explicit

conversion
(except to void) is applied to a void expression
(6.3.2.2).

—
Conversion of a pointer to an integer type produces a value outside the range
that can

be
represented (6.3.2.3).

—
Conversion between two pointer types produces a result that is incorrectly
aligned

(6.3.2.3).

—
A pointer is used to call a function whose type is not compatible with the
referenced

type
(6.3.2.3).

—
An unmatched ' or " character is
encountered on a logical source line during

tokenization
(6.4).

—
A reserved keyword token is used in translation phase 7 or 8 for some purpose
other

than
as a keyword (6.4.1).

—
A universal character name in an identifier does not designate a character
whose

encoding
falls into one of the specified ranges (6.4.2.1).

—
The initial character of an identifier is a universal character name
designating a digit

(6.4.2.1).

—
Two identifiers differ only in nonsignificant characters (6.4.2.1).

—
The identifier _ _func_ _ is explicitly declared (6.4.2.2).

—
The program attempts to modify a string literal (6.4.5).

— The characters ', \, ", //, or /* occur in the
sequence between the < and >

delimiters, or the characters ', \, //, or /* occur in the
sequence between the "

delimiters, in a header name preprocessing token (6.4.7).

—
A side effect on a scalar object is unsequenced relative to either a different
side effect

on
the same scalar object or a value computation using the value of the same
scalar

object
(6.5).

—
An exceptional condition occurs during the evaluation of an expression (6.5).

—
An object has its stored value accessed other than by an lvalue of an allowable
type

(6.5).

—
For a call to a function without a function prototype in scope, the number of

arguments
does not equal the number of parameters (6.5.2.2).

—
For call to a function without a function prototype in scope where the function
is

defined
with a function prototype, either the prototype ends with an ellipsis or the

types
of the arguments after promotion are not compatible with the types of the

parameters
(6.5.2.2).

— For a call to a function without a function prototype in scope
where the function is not

defined
with a function prototype, the types of the arguments after promotion are not

compatible
with those of the parameters after promotion (with certain exceptions)

(6.5.2.2).

—
A function is defined with a type that is not compatible with the type (of the

expression)
pointed to by the expression that denotes the called function (6.5.2.2).

—
A member of an atomic structure or union is accessed (6.5.2.3).

—
The operand of the unary * operator has
an invalid value (6.5.3.2).

—
A pointer is converted to other than an integer or pointer type (6.5.4).

—
The value of the second operand of the / or % operator is
zero (6.5.5).

—
Addition or subtraction of a pointer into, or just beyond, an array object and
an

integer
type produces a result that does not point into, or just beyond, the same array

object
(6.5.6).

—
Addition or subtraction of a pointer into, or just beyond, an array object and
an

integer
type produces a result that points just beyond the array object and is used as

the
operand of a unary * operator that
is evaluated (6.5.6).

—
Pointers that do not point into, or just beyond, the same array object are
subtracted

(6.5.6).

—
An array subscript is out of range, even if an object is apparently accessible
with the

given
subscript (as in the lvalue expression a[1][7] given the
declaration int

a[4][5]) (6.5.6).

— The result of subtracting two pointers is not representable
in an object of type

ptrdiff_t
(6.5.6).

—
An expression is shifted by a negative number or by an amount greater than or
equal

to
the width of the promoted expression (6.5.7).

—
An expression having signed promoted type is left-shifted and either the value
of the

expression
is negative or the result of shifting would be not be representable in the

promoted
type (6.5.7).

—
Pointers that do not point to the same aggregate or union (nor just beyond the
same

array
object) are compared using relational operators (6.5.8).

—
An object is assigned to an inexactly overlapping object or to an exactly
overlapping

object
with incompatible type (6.5.16.1).

—
An expression that is required to be an integer constant expression does not
have an

integer
type; has operands that are not integer constants, enumeration constants,

character
constants, sizeof expressions whose results are integer
constants, _Alignof
expressions, or
immediately-cast floating constants; or contains casts

(outside operands to sizeof and _Alignof
operators) other than
conversions of

arithmetic types to integer
types (6.6).

— A constant expression in
an initializer is not, or does not evaluate to, one of the

following: an arithmetic
constant expression, a null pointer constant, an address

constant, or an address
constant for a complete object type plus or minus an integer

constant expression (6.6).

— An arithmetic constant
expression does not have arithmetic type; has operands that

are not integer constants,
floating constants, enumeration constants, character

constants, sizeof expressions whose results are integer constants, or _Alignof

expressions; or contains
casts (outside operands to sizeof or _Alignof operators)

other than conversions of
arithmetic types to arithmetic types (6.6).

— The value of an object is
accessed by an array-subscript [],
member-access . or ->,

address &, or indirection * operator
or a pointer cast in creating an address constant

(6.6).

— An identifier for an
object is declared with no linkage and the type of the object is

incomplete after its
declarator, or after its init-declarator if it has an initializer (6.7).

— A function is declared at
block scope with an explicit storage-class specifier other

than extern (6.7.1).

— A structure or union is
defined without any named members (including those

specified indirectly via
anonymous structures and unions) (6.7.2.1).

— An attempt is made to access, or generate a pointer to just
past, a flexible array

member
of a structure when the referenced object provides no elements for that array

(6.7.2.1).

—
When the complete type is needed, an incomplete structure or union type is not

completed
in the same scope by another declaration of the tag that defines the content

(6.7.2.3).

—
An attempt is made to modify an object defined with a const-qualified type
through

use
of an lvalue with non-const-qualified type (6.7.3).

—
An attempt is made to refer to an object defined with a volatile-qualified type
through

use
of an lvalue with non-volatile-qualified type (6.7.3).

—
The specification of a function type includes any type qualifiers (6.7.3).

—
Two qualified types that are required to be compatible do not have the
identically

qualified
version of a compatible type (6.7.3).

—
An object which has been modified is accessed through a restrict-qualified
pointer to

a
const-qualified type, or through a restrict-qualified pointer and another
pointer that

are not both based on the same object (6.7.3.1).

—
A restrict-qualified pointer is assigned a value based on another restricted
pointer

whose
associated block neither began execution before the block associated with this

pointer,
nor ended before the assignment (6.7.3.1).

—
A function with external linkage is declared with an inline function
specifier, but is

not
also defined in the same translation unit (6.7.4).

—
A function declared with a _Noreturn function
specifier returns to its caller (6.7.4).

—
The definition of an object has an alignment specifier and another declaration
of that

object
has a different alignment specifier (6.7.5).

—
Declarations of an object in different translation units have different
alignment

specifiers
(6.7.5).

—
Two pointer types that are required to be compatible are not identically
qualified, or

are
not pointers to compatible types (6.7.6.1).

—
The size expression in an array declaration is not a constant expression and
evaluates

at
program execution time to a nonpositive value (6.7.6.2).

—
In a context requiring two array types to be compatible, they do not have
compatible

element
types, or their size specifiers evaluate to unequal values (6.7.6.2).

—
A declaration of an array parameter includes the keyword static within the [ and

]
and the corresponding argument does not provide access to the first
element of an

array
with at least the specified number of elements (6.7.6.3).

— A storage-class specifier or type qualifier modifies the
keyword void as a function

parameter
type list (6.7.6.3).

—
In a context requiring two function types to be compatible, they do not have

compatible
return types, or their parameters disagree in use of the ellipsis terminator

or
the number and type of parameters (after default argument promotion, when there

is
no parameter type list or when one type is specified by a function definition
with an

identifier
list) (6.7.6.3).

—
The value of an unnamed member of a structure or union is used (6.7.9).

—
The initializer for a scalar is neither a single expression nor a single
expression

enclosed
in braces (6.7.9).

—
The initializer for a structure or union object that has automatic storage
duration is

neither
an initializer list nor a single expression that has compatible structure or
union

type
(6.7.9).

—
The initializer for an aggregate or union, other than an array initialized by a
string

literal,
is not a brace-enclosed list of initializers for its elements or members
(6.7.9).

— An identifier with external linkage is used, but in the
program there does not exist

exactly
one external definition for the identifier, or the identifier is not used and
there

exist
multiple external definitions for the identifier (6.9).

—
A function definition includes an identifier list, but the types of the
parameters are not

declared
in a following declaration list (6.9.1).

—
An adjusted parameter type in a function definition is not a complete object
type

(6.9.1).

—
A function that accepts a variable number of arguments is defined without a

parameter
type list that ends with the ellipsis notation (6.9.1).

—
The } that terminates a function is
reached, and the value of the function call is used

by
the caller (6.9.1).

—
An identifier for an object with internal linkage and an incomplete type is
declared

with
a tentative definition (6.9.2).

—
The token defined is generated during the expansion of
a #if or #elif

preprocessing directive, or the use of the defined unary
operator does not match

one
of the two specified forms prior to macro replacement (6.10.1).

—
The #include preprocessing directive that results
after expansion does not match

one
of the two header name forms (6.10.2).

—
The character sequence in an #include preprocessing
directive does not start with a

letter
(6.10.2).

—
There are sequences of preprocessing tokens within the list of macro arguments
that

would
otherwise act as preprocessing directives (6.10.3).

— The result of the preprocessing operator # is not a
valid character string literal

(6.10.3.2).

—
The result of the preprocessing operator ## is not a
valid preprocessing token

(6.10.3.3).

—
The #line preprocessing directive that results
after expansion does not match one of

the
two well-defined forms, or its digit sequence specifies zero or a number
greater

than
2147483647 (6.10.4).

—
A non-STDC #pragma preprocessing directive that is
documented as causing

translation
failure or some other form of undefined behavior is encountered (6.10.6).

—
A #pragma STDC preprocessing directive does not
match one of the well-defined

forms
(6.10.6).

—
The name of a predefined macro, or the identifier defined, is the
subject of a

#define
or #undef preprocessing directive (6.10.8).

— An attempt is made to copy an object to an overlapping
object by use of a library

function,
other than as explicitly allowed (e.g., memmove) (clause 7).

—
A file with the same name as one of the standard headers, not provided as part
of the

implementation,
is placed in any of the standard places that are searched for included

source
files (7.1.2).

—
A header is included within an external declaration or definition (7.1.2).

—
A function, object, type, or macro that is specified as being declared or
defined by

some
standard header is used before any header that declares or defines it is
included

(7.1.2).

—
A standard header is included while a macro is defined with the same name as a

keyword
(7.1.2).

—
The program attempts to declare a library function itself, rather than via a
standard

header,
but the declaration does not have external linkage (7.1.2).

—
The program declares or defines a reserved identifier, other than as allowed by
7.1.4

(7.1.3).

—
The program removes the definition of a macro whose name begins with an

underscore
and either an uppercase letter or another underscore (7.1.3).

—
An argument to a library function has an invalid value or a type not expected
by a

function
with variable number of arguments (7.1.4).

— The pointer passed to a library function array parameter
does not have a value such

that
all address computations and object accesses are valid (7.1.4).

—
The macro definition of assert is suppressed
in order to access an actual function

(7.2).

—
The argument to the assert macro does
not have a scalar type (7.2).

—
The CX_LIMITED_RANGE, FENV_ACCESS, or FP_CONTRACT pragma is
used in

any
context other than outside all external declarations or preceding all explicit

declarations
and statements inside a compound statement (7.3.4, 7.6.1, 7.12.2).

—
The value of an argument to a character handling function is neither equal to
the value

of
EOF nor representable as an unsigned char
(7.4).

—
A macro definition of errno is suppressed
in order to access an actual object, or the

program
defines an identifier with the name errno (7.5).

—
Part of the program tests floating-point status flags, sets floating-point
control modes,

or
runs under non-default mode settings, but was translated with the state for the

FENV_ACCESS
pragma ‘‘off’’ (7.6.1).

— The exception-mask argument for one of the functions that
provide access to the

floating-point
status flags has a nonzero value not obtained by bitwise OR of the

floating-point
exception macros (7.6.2).

—
The fesetexceptflag function is used to set
floating-point status flags that were

not
specified in the call to the fegetexceptflag function that
provided the value

of
the corresponding fexcept_t object (7.6.2.4).

—
The argument to fesetenv or feupdateenv is neither an
object set by a call to

fegetenv
or feholdexcept, nor is it an environment macro
(7.6.4.3, 7.6.4.4).

—
The value of the result of an integer arithmetic or conversion function cannot
be

represented
(7.8.2.1, 7.8.2.2, 7.8.2.3, 7.8.2.4, 7.22.6.1, 7.22.6.2, 7.22.1).

—
The program modifies the string pointed to by the value returned by the setlocale

function (7.11.1.1).

—
The program modifies the structure pointed to by the value returned by the

localeconv
function (7.11.2.1).

—
A macro definition of math_errhandling is suppressed
or the program defines

an
identifier with the name math_errhandling (7.12).

—
An argument to a floating-point classification or comparison macro is not of
real

floating
type (7.12.3, 7.12.14).

—
A macro definition of setjmp is suppressed
in order to access an actual function, or

the
program defines an external identifier with the name setjmp (7.13).

—
An inv ocation of the setjmp macro occurs
other than in an allowed context

(7.13.2.1).

— The longjmp function is
invoked to restore a nonexistent environment (7.13.2.1).

—
After a longjmp, there is an attempt to access the
value of an object of automatic

storage
duration that does not have volatile-qualified type, local to the function

containing
the invocation of the corresponding setjmp macro, that
was changed

between
the setjmp invocation and longjmp call
(7.13.2.1).

—
The program specifies an invalid pointer to a signal handler function
(7.14.1.1).

—
A signal handler returns when the signal corresponded to a computational
exception

(7.14.1.1).

—
A signal handler called in response to SIGFPE, SIGILL, SIGSEGV, or any
other

implementation-defined
value corresponding to a computational exception returns

(7.14.1.1).

—
A signal occurs as the result of calling the abort or raise function, and
the signal

handler
calls the raise function (7.14.1.1).

— A signal occurs other than as the result of calling the abort or raise function, and

the
signal handler refers to an object with static or thread storage duration that
is not a

lock-free
atomic object other than by assigning a value to an object declared as

volatile
sig_atomic_t, or calls any function in the standard library other

than
the abort function, the _Exit function, the
quick_exit function, or the

signal
function (for the same signal number) (7.14.1.1).

—
The value of errno is referred to after a signal
occurred other than as the result of

calling
the abort or raise function and
the corresponding signal handler obtained

a
SIG_ERR return from a call to the signal function
(7.14.1.1).

—
A signal is generated by an asynchronous signal handler (7.14.1.1).

—
The signal function is used in a multi-threaded
program (7.14.1.1).

—
A function with a variable number of arguments attempts to access its varying

arguments
other than through a properly declared and initialized va_list object, or

before
the va_start macro is invoked (7.16, 7.16.1.1,
7.16.1.4).

—
The macro va_arg is invoked using the parameter ap that was
passed to a function

that
invoked the macro va_arg with the same parameter (7.16).

—
A macro definition of va_start, va_arg, va_copy, or va_end is suppressed
in

order
to access an actual function, or the program defines an external identifier
with

the
name va_copy or va_end (7.16.1).

—
The va_start or va_copy macro is
invoked without a corresponding invocation

of
the va_end macro in the same function, or vice
versa (7.16.1, 7.16.1.2, 7.16.1.3,

7.16.1.4).

— The type
parameter to the va_arg macro is not such that a pointer to an
object of

that type can be obtained
simply by postfixing a * (7.16.1.1).

— The va_arg macro is invoked when there is no actual next argument, or with a

specified type that is not
compatible with the promoted type of the actual next

argument, with certain
exceptions (7.16.1.1).

— The va_copy or va_start
macro is called to
initialize a va_list that was

previously initialized by
either macro without an intervening invocation of the

va_end macro for the same va_list (7.16.1.2, 7.16.1.4).

— The parameter parmN of a va_start macro is declared with the register

storage class, with a
function or array type, or with a type that is not compatible with

the type that results after
application of the default argument promotions (7.16.1.4).

— The member designator
parameter of an offsetof
macro is an invalid right

operand of the . operator for the type parameter, or designates a bit-field (7.19).

— The argument in an instance of one of the integer-constant
macros is not a decimal,

octal,
or hexadecimal constant, or it has a value that exceeds the limits for the

corresponding
type (7.20.4).

—
A byte input/output function is applied to a wide-oriented stream, or a wide
character

input/output
function is applied to a byte-oriented stream (7.21.2).

—
Use is made of any portion of a file beyond the most recent wide character
written to

a
wide-oriented stream (7.21.2).

—
The value of a pointer to a FILE object is
used after the associated file is closed

(7.21.3).

—
The stream for the fflush function
points to an input stream or to an update stream

in
which the most recent operation was input (7.21.5.2).

—
The string pointed to by the mode argument in a
call to the fopen function does not

exactly
match one of the specified character sequences (7.21.5.3).

—
An output operation on an update stream is followed by an input operation
without an

intervening
call to the fflush function or a file positioning
function, or an input

operation
on an update stream is followed by an output operation with an intervening

call
to a file positioning function (7.21.5.3).

—
An attempt is made to use the contents of the array that was supplied in a call
to the

setvbuf
function (7.21.5.6).

—
There are insufficient arguments for the format in a call to one of the
formatted

input/output
functions, or an argument does not have an appropriate type (7.21.6.1,

7.21.6.2,
7.29.2.1, 7.29.2.2).

— The format in a call to one of the formatted input/output
functions or to the

strftime
or wcsftime function is not a valid multibyte
character sequence that

begins
and ends in its initial shift state (7.21.6.1, 7.21.6.2, 7.27.3.5, 7.29.2.1,
7.29.2.2,

7.29.5.1).

—
In a call to one of the formatted output functions, a precision appears with a

conversion
specifier other than those described (7.21.6.1, 7.29.2.1).

—
A conversion specification for a formatted output function uses an asterisk to
denote

an
argument-supplied field width or precision, but the corresponding argument is
not

provided
(7.21.6.1, 7.29.2.1).

—
A conversion specification for a formatted output function uses a # or 0 flag with a

conversion
specifier other than those described (7.21.6.1, 7.29.2.1).

—
A conversion specification for one of the formatted input/output functions uses
a

length
modifier with a conversion specifier other than those described (7.21.6.1,

7.21.6.2,
7.29.2.1, 7.29.2.2).

— An s conversion
specifier is encountered by one of the formatted output functions,

and
the argument is missing the null terminator (unless a precision is specified
that

does
not require null termination) (7.21.6.1, 7.29.2.1).

—
An n conversion specification for one of
the formatted input/output functions includes

any
flags, an assignment-suppressing character, a field width, or a precision
(7.21.6.1,

7.21.6.2,
7.29.2.1, 7.29.2.2).

—
A % conversion specifier is encountered
by one of the formatted input/output

functions,
but the complete conversion specification is not exactly %% (7.21.6.1,

7.21.6.2,
7.29.2.1, 7.29.2.2).

—
An inv alid conversion specification is found in the format for one of the
formatted

input/output
functions, or the strftime or wcsftime function
(7.21.6.1, 7.21.6.2,

7.27.3.5,
7.29.2.1, 7.29.2.2, 7.29.5.1).

—
The number of characters or wide characters transmitted by a formatted output

function
(or written to an array, or that would have been written to an array) is
greater

than
INT_MAX (7.21.6.1, 7.29.2.1).

—
The number of input items assigned by a formatted input function is greater
than

INT_MAX
(7.21.6.2, 7.29.2.2).

—
The result of a conversion by one of the formatted input functions cannot be

represented
in the corresponding object, or the receiving object does not have an

appropriate
type (7.21.6.2, 7.29.2.2).

—
A c, s, or [ conversion
specifier is encountered by one of the formatted input

functions,
and the array pointed to by the corresponding argument is not large enough

to
accept the input sequence (and a null terminator if the conversion specifier is
s or

[) (7.21.6.2,
7.29.2.2).

— A c, s, or [ conversion
specifier with an l qualifier is encountered by one of
the

formatted
input functions, but the input is not a valid multibyte character sequence

that
begins in the initial shift state (7.21.6.2, 7.29.2.2).

—
The input item for a %p conversion by
one of the formatted input functions is not a

value
converted earlier during the same program execution (7.21.6.2, 7.29.2.2).

—
The vfprintf, vfscanf, vprintf, vscanf, vsnprintf, vsprintf,

vsscanf, vfwprintf, vfwscanf, vswprintf, vswscanf, vwprintf, or

vwscanf
function is called with an improperly initialized va_list argument, or

the
argument is used (other than in an invocation of va_end) after the
function

returns
(7.21.6.8, 7.21.6.9, 7.21.6.10, 7.21.6.11, 7.21.6.12, 7.21.6.13, 7.21.6.14,

7.29.2.5,
7.29.2.6, 7.29.2.7, 7.29.2.8, 7.29.2.9, 7.29.2.10).

—
The contents of the array supplied in a call to the fgets or fgetws function are

used
after a read error occurred (7.21.7.2, 7.29.3.2).

— The file position indicator for a binary stream is used
after a call to the ungetc

function where its value was zero before the call (7.21.7.10).

—
The file position indicator for a stream is used after an error occurred during
a call to

the
fread or fwrite function
(7.21.8.1, 7.21.8.2).

—
A partial element read by a call to the fread function is
used (7.21.8.1).

—
The fseek function is called for a text stream
with a nonzero offset and either the

offset
was not returned by a previous successful call to the ftell function on a

stream
associated with the same file or whence is not SEEK_SET (7.21.9.2).

—
The fsetpos function is called to set a position
that was not returned by a previous

successful
call to the fgetpos function on a stream associated with
the same file

(7.21.9.3).

—
A non-null pointer returned by a call to the calloc, malloc, or realloc function

with
a zero requested size is used to access an object (7.22.3).

—
The value of a pointer that refers to space deallocated by a call to the free or

realloc
function is used (7.22.3).

—
The alignment requested of the aligned_alloc function is
not valid or not

supported
by the implementation, or the size requested is not an integral multiple of

the
alignment (7.22.3.1).

—
The pointer argument to the free or realloc function does
not match a pointer

earlier
returned by a memory management function, or the space has been deallocated

by
a call to free or realloc (7.22.3.3,
7.22.3.5).

—
The value of the object allocated by the malloc function is
used (7.22.3.4).

—
The value of any bytes in a new object allocated by the realloc function
beyond

the
size of the old object are used (7.22.3.5).

—
The program calls the exit or quick_exit function more
than once, or calls both

functions
(7.22.4.4, 7.22.4.7).

—
During the call to a function registered with the atexit or at_quick_exit

function, a call is made to the longjmp function that
would terminate the call to the

registered
function (7.22.4.4, 7.22.4.7).

—
The string set up by the getenv or strerror function is
modified by the program

(7.22.4.6,
7.24.6.2).

—
A signal is raised while the quick_exit function is
executing (7.22.4.7).

—
A command is executed through the system function in a
way that is documented as

causing
termination or some other form of undefined behavior (7.22.4.8).

— A searching or sorting utility function is called with an
invalid pointer argument, even

if
the number of elements is zero (7.22.5).

—
The comparison function called by a searching or sorting utility function
alters the

contents
of the array being searched or sorted, or returns ordering values

inconsistently
(7.22.5).

—
The array being searched by the bsearch function does
not have its elements in

proper
order (7.22.5.1).

—
The current conversion state is used by a multibyte/wide character conversion

function
after changing the LC_CTYPE category
(7.22.7).

—
A string or wide string utility function is instructed to access an array
beyond the end

of
an object (7.24.1, 7.29.4).

—
A string or wide string utility function is called with an invalid pointer
argument, even

if
the length is zero (7.24.1, 7.29.4).

—
The contents of the destination array are used after a call to the strxfrm,

strftime, wcsxfrm, or wcsftime function in
which the specified length was

too
small to hold the entire null-terminated result (7.24.4.5, 7.27.3.5,
7.29.4.4.4,

7.29.5.1).

—
The first argument in the very first call to the strtok or wcstok is a null
pointer

(7.24.5.8,
7.29.4.5.7).

—
The type of an argument to a type-generic macro is not compatible with the type
of

the
corresponding parameter of the selected function (7.25).

— A complex argument is supplied for a generic parameter of a
type-generic macro that

has
no corresponding complex function (7.25).

—
At least one member of the broken-down time passed to asctime contains a
value

outside
its normal range, or the calculated year exceeds four digits or is less than
the

year
1000 (7.27.3.1).

—
The argument corresponding to an s specifier
without an l qualifier in a call to the

fwprintf
function does not point to a valid multibyte character sequence that

begins
in the initial shift state (7.29.2.11).

—
In a call to the wcstok function, the object pointed to by ptr does not have
the

value
stored by the previous call for the same wide string (7.29.4.5.7).

—
An mbstate_t object is used inappropriately
(7.29.6).

—
The value of an argument of type wint_t to a wide
character classification or case

mapping
function is neither equal to the value of WEOF nor
representable as a

wchar_t
(7.30.1).

— The iswctype function is
called using a different LC_CTYPE category from
the

one
in effect for the call to the wctype function that
returned the description

(7.30.2.2.1).

—
The towctrans function is called using a different LC_CTYPE category from
the

one
in effect for the call to the wctrans function that
returned the description

(7.30.3.2.1).

J.3
Implementation-defined behavior

1 A conforming implementation is required to document its choice of
behavior in each of

the
areas listed in this subclause. The following are implementation-defined:

J.3.1 Translation

1 — How a diagnostic is
identified (3.10, 5.1.1.3).

— Whether each nonempty
sequence of white-space characters other than new-line is

retained or replaced by one
space character in translation phase 3 (5.1.1.2).

J.3.2 Environment

1 — The mapping between
physical source file multibyte characters and the source

character set in
translation phase 1 (5.1.1.2).

— The name and type of the
function called at program startup in a freestanding

environment (5.1.2.1).

— The effect of program
termination in a freestanding environment (5.1.2.1).

— An alternative manner in
which the main function may be defined (5.1.2.2.1).

— The values given to the
strings pointed to by the argv argument to main (5.1.2.2.1).

— What constitutes an
interactive device (5.1.2.3).

— Whether a program can
have more than one thread of execution in a freestanding

environment (5.1.2.4).

— The set of signals, their
semantics, and their default handling (7.14).

— Signal values other than SIGFPE, SIGILL, and SIGSEGV that
correspond to a

computational exception
(7.14.1.1).

— Signals for which the
equivalent of signal(sig, SIG_IGN); is executed at

program startup (7.14.1.1).

— The set of environment names and the method for altering
the environment list used

by
the getenv function (7.22.4.6).

—
The manner of execution of the string by the system function
(7.22.4.8).

J.3.3 Identifiers

1 — Which additional
multibyte characters may appear in identifiers and their

correspondence to universal
character names (6.4.2).

— The number of significant
initial characters in an identifier (5.2.4.1, 6.4.2).

J.3.4 Characters

1 — The number of bits in a
byte (3.6).

— The values of the members
of the execution character set (5.2.1).

— The unique value of the
member of the execution character set produced for each of

the standard alphabetic
escape sequences (5.2.2).

— The value of a char object
into which has been stored any character other than a

member of the basic
execution character set (6.2.5).

— Which of signed char or unsigned char has the
same range, representation,

and behavior as ‘‘plain’’ char (6.2.5,
6.3.1.1).

— The mapping of members of
the source character set (in character constants and string

literals) to members of the
execution character set (6.4.4.4, 5.1.1.2).

— The value of an integer
character constant containing more than one character or

containing a character or
escape sequence that does not map to a single-byte

execution character
(6.4.4.4).

— The value of a wide character constant containing more than
one multibyte character

or
a single multibyte character that maps to multiple members of the extended

execution
character set, or containing a multibyte character or escape sequence not

represented
in the extended execution character set (6.4.4.4).

—
The current locale used to convert a wide character constant consisting of a
single

multibyte
character that maps to a member of the extended execution character set

into
a corresponding wide character code (6.4.4.4).

—
Whether differently-prefixed wide string literal tokens can be concatenated
and, if so,

the
treatment of the resulting multibyte character sequence (6.4.5).

—
The current locale used to convert a wide string literal into corresponding
wide

character
codes (6.4.5).

—
The value of a string literal containing a multibyte character or escape
sequence not

represented
in the execution character set (6.4.5).

—
The encoding of any of wchar_t, char16_t, and char32_t where the

corresponding
standard encoding macro (_ _STDC_ISO_10646_ _,

_
_STDC_UTF_16_ _, or _ _STDC_UTF_32_ _) is not
defined (6.10.8.2).

J.3.5 Integers

1 — Any extended integer
types that exist in the implementation (6.2.5).

— Whether signed integer
types are represented using sign and magnitude, two’s

complement, or ones’
complement, and whether the extraordinary value is a trap

representation or an
ordinary value (6.2.6.2).

— The rank of any extended
integer type relative to another extended integer type with

the same precision
(6.3.1.1).

— The result of, or the
signal raised by, converting an integer to a signed integer type

when the value cannot be
represented in an object of that type (6.3.1.3).

— The results of some
bitwise operations on signed integers (6.5).

J.3.6 Floating point

1 — The accuracy of the
floating-point operations and of the library functions in

<math.h> and <complex.h> that return floating-point results
(5.2.4.2.2).

— The accuracy of the
conversions between floating-point internal representations and

string representations
performed by the library functions in <stdio.h>,

<stdlib.h>, and <wchar.h> (5.2.4.2.2).

— The rounding behaviors
characterized by non-standard values of FLT_ROUNDS

(5.2.4.2.2).

— The evaluation methods
characterized by non-standard negative values of

FLT_EVAL_METHOD (5.2.4.2.2).

— The direction of rounding
when an integer is converted to a floating-point number that

cannot exactly represent
the original value (6.3.1.4).

— The direction of rounding when a floating-point number is
converted to a narrower

floating-point
number (6.3.1.5).

—
How the nearest representable value or the larger or smaller representable
value

immediately
adjacent to the nearest representable value is chosen for certain floating

constants
(6.4.4.2).

—
Whether and how floating expressions are contracted when not disallowed by the

FP_CONTRACT
pragma (6.5).

—
The default state for the FENV_ACCESS pragma
(7.6.1).

—
Additional floating-point exceptions, rounding modes, environments, and

classifications,
and their macro names (7.6, 7.12).

—
The default state for the FP_CONTRACT pragma
(7.12.2)

J.3.7 Arrays and pointers

1 — The result of
converting a pointer to an integer or vice versa (6.3.2.3).

— The size of the result of
subtracting two pointers to elements of the same array

(6.5.6).

J.3.8 Hints

1 — The extent to which
suggestions made by using the register storage-class

specifier are effective
(6.7.1).

— The extent to which suggestions
made by using the inline function specifier are

effective (6.7.4).

J.3.9 Structures, unions, enumerations, and bit-fields

1 — Whether a ‘‘plain’’ int bit-field
is treated as a signed int bit-field or as an

unsigned int bit-field
(6.7.2, 6.7.2.1).

— Allowable bit-field types
other than _Bool, signed int, and unsigned int

(6.7.2.1).

— Whether atomic types are
permitted for bit-fields (6.7.2.1).

— Whether a bit-field can
straddle a storage-unit boundary (6.7.2.1).

— The order of allocation
of bit-fields within a unit (6.7.2.1).

— The alignment of
non-bit-field members of structures (6.7.2.1). This should present

no problem unless binary
data written by one implementation is read by another.

— The integer type
compatible with each enumerated type (6.7.2.2).

J.3.10 Qualifiers

1 — What constitutes an
access to an object that has volatile-qualified type (6.7.3).

J.3.11 Preprocessing directives

1 — The locations within #pragma directives
where header name preprocessing tokens

are recognized (6.4, 6.4.7).

— How sequences in both
forms of header names are mapped to headers or external

source file names (6.4.7).

— Whether the value of a
character constant in a constant expression that controls

conditional inclusion
matches the value of the same character constant in the

execution character set
(6.10.1).

— Whether the value of a
single-character character constant in a constant expression

that controls conditional
inclusion may have a neg ative value (6.10.1).

— The places that are searched for an included < > delimited
header, and how the places

are
specified or the header is identified (6.10.2).

—
How the named source file is searched for in an included " "
delimited header

(6.10.2).

—
The method by which preprocessing tokens (possibly resulting from macro

expansion)
in a #include directive are combined into a header
name (6.10.2).

—
The nesting limit for #include processing
(6.10.2).

—
Whether the # operator inserts a \ character
before the \ character that begins a

universal
character name in a character constant or string literal (6.10.3.2).

—
The behavior on each recognized non-STDC #pragma directive
(6.10.6).

—
The definitions for _ _DATE_ _ and _ _TIME_ _ when
respectively, the date and

time
of translation are not available (6.10.8.1).

J.3.12
Library functions

1 — Any library facilities available to a freestanding program, other
than the minimal set

required
by clause 4 (5.1.2.1).

—
The format of the diagnostic printed by the assert macro
(7.2.1.1).

—
The representation of the floating-point status flags stored by the

fegetexceptflag
function (7.6.2.2).

—
Whether the feraiseexcept function raises the ‘‘inexact’’
floating-point

exception
in addition to the ‘‘overflow’’ or ‘‘underflow’’ floating-point exception

(7.6.2.3).

— Strings other than "C" and "" that may be
passed as the second argument to the

setlocale
function (7.11.1.1).

—
The types defined for float_t and double_t when the
value of the

FLT_EVAL_METHOD
macro is less than 0 (7.12).

—
Domain errors for the mathematics functions, other than those required by this

International
Standard (7.12.1).

—
The values returned by the mathematics functions on domain errors or pole
errors

(7.12.1).

—
The values returned by the mathematics functions on underflow range errors,
whether

errno
is set to the value of the macro ERANGE when the
integer expression

math_errhandling
& MATH_ERRNO is nonzero, and whether the ‘‘underflow’’

floating-point
exception is raised when the integer expression math_errhandling

& MATH_ERREXCEPT is nonzero. (7.12.1).

— Whether a domain error occurs or zero is returned when an fmod function has
a

second
argument of zero (7.12.10.1).

—
Whether a domain error occurs or zero is returned when a remainder function has

a
second argument of zero (7.12.10.2).

—
The base-2 logarithm of the modulus used by the remquo functions in
reducing the

quotient
(7.12.10.3).

—
Whether a domain error occurs or zero is returned when a remquo function has
a

second
argument of zero (7.12.10.3).

—
Whether the equivalent of signal(sig, SIG_DFL); is executed prior
to the call

of
a signal handler, and, if not, the blocking of signals that is performed
(7.14.1.1).

—
The null pointer constant to which the macro NULL expands
(7.19).

—
Whether the last line of a text stream requires a terminating new-line
character

(7.21.2).

—
Whether space characters that are written out to a text stream immediately
before a

new-line
character appear when read in (7.21.2).

—
The number of null characters that may be appended to data written to a binary

stream
(7.21.2).

—
Whether the file position indicator of an append-mode stream is initially
positioned at

the
beginning or end of the file (7.21.3).

—
Whether a write on a text stream causes the associated file to be truncated
beyond that

point
(7.21.3).

—
The characteristics of file buffering (7.21.3).

—
Whether a zero-length file actually exists (7.21.3).

—
The rules for composing valid file names (7.21.3).

—
Whether the same file can be simultaneously open multiple times (7.21.3).

—
The nature and choice of encodings used for multibyte characters in files
(7.21.3).

—
The effect of the remove function on an open file (7.21.4.1).

—
The effect if a file with the new name exists prior to a call to the rename function

(7.21.4.2).

—
Whether an open temporary file is removed upon abnormal program termination

(7.21.4.3).

—
Which changes of mode are permitted (if any), and under what circumstances

(7.21.5.4).

— The style used to print an infinity or NaN, and the meaning
of any n-char or n-wchar

sequence
printed for a NaN (7.21.6.1, 7.29.2.1).

—
The output for %p conversion in the fprintf or fwprintf function
(7.21.6.1,

7.29.2.1).

—
The interpretation of a - character
that is neither the first nor the last character, nor

the
second where a ^ character is the first, in the
scanlist for %[ conversion in the

fscanf
or fwscanf function (7.21.6.2, 7.29.2.1).

—
The set of sequences matched by a %p conversion
and the interpretation of the

corresponding
input item in the fscanf or fwscanf function
(7.21.6.2, 7.29.2.2).

—
The value to which the macro errno is set by the
fgetpos, fsetpos, or ftell

functions on failure (7.21.9.1, 7.21.9.3, 7.21.9.4).

—
The meaning of any n-char or n-wchar sequence in a string representing a NaN
that is

converted
by the strtod, strtof, strtold, wcstod, wcstof, or wcstold

function (7.22.1.3, 7.29.4.1.1).

—
Whether or not the strtod, strtof, strtold, wcstod, wcstof, or wcstold

function sets errno to ERANGE when
underflow occurs (7.22.1.3, 7.29.4.1.1).

—
Whether the calloc, malloc, and realloc functions
return a null pointer or a

pointer
to an allocated object when the size requested is zero (7.22.3).

—
Whether open streams with unwritten buffered data are flushed, open streams are

closed,
or temporary files are removed when the abort or _Exit function is
called

(7.22.4.1,
7.22.4.5).

— The
termination status returned to the host environment by the abort, exit,

_Exit, or quick_exit function
(7.22.4.1, 7.22.4.4, 7.22.4.5, 7.22.4.7).

— The value returned by the
system function when its argument is not a null
pointer

(7.22.4.8).

— The range and precision
of times representable in clock_t
and time_t (7.27). ∗

— The local time zone and
Daylight Saving Time (7.27.1).

— The era for the clock function (7.27.2.1).

— The TIME_UTC epoch (7.27.2.5).

— The replacement string
for the %Z specifier to the strftime, and wcsftime

functions in the "C" locale (7.27.3.5, 7.29.5.1).

— Whether the functions in <math.h> honor the rounding direction mode in an

IEC 60559 conformant
implementation, unless explicitly specified otherwise (F.10).

J.3.13 Architecture

1 — The values or
expressions assigned to the macros specified in the headers

<float.h>, <limits.h>, and <stdint.h>
(5.2.4.2, 7.20.2, 7.20.3).

— The result of attempting
to indirectly access an object with automatic or thread

storage duration from a
thread other than the one with which it is associated (6.2.4).

— The number, order, and
encoding of bytes in any object (when not explicitly specified

in this International
Standard) (6.2.6.1).

— Whether any extended
alignments are supported and the contexts in which they are

supported (6.2.8).

— Valid alignment values
other than those returned by an _Alignof expression for

fundamental types, if any
(6.2.8).

— The value of the result
of the sizeof and _Alignof operators (6.5.3.4).

J.4 Locale-specific behavior

1 The following
characteristics of a hosted environment are locale-specific and are required

to be documented by the
implementation:

— Additional members of the
source and execution character sets beyond the basic

character set (5.2.1).

— The presence, meaning,
and representation of additional multibyte characters in the

execution character set
beyond the basic character set (5.2.1.2).

— The shift states used for
the encoding of multibyte characters (5.2.1.2).

— The direction of writing
of successive printing characters (5.2.2).

— The decimal-point character (7.1.1).

—
The set of printing characters (7.4, 7.30.2).

—
The set of control characters (7.4, 7.30.2).

—
The sets of characters tested for by the isalpha, isblank, islower, ispunct,

isspace, isupper, iswalpha, iswblank, iswlower, iswpunct,

iswspace, or iswupper functions
(7.4.1.2, 7.4.1.3, 7.4.1.7, 7.4.1.9, 7.4.1.10,

7.4.1.11,
7.30.2.1.2, 7.30.2.1.3, 7.30.2.1.7, 7.30.2.1.9, 7.30.2.1.10, 7.30.2.1.11).

—
The native environment (7.11.1.1).

—
Additional subject sequences accepted by the numeric conversion functions
(7.22.1,

7.29.4.1).

—
The collation sequence of the execution character set (7.24.4.3, 7.29.4.4.2).

— The contents of the error message strings set up by the strerror function

(7.24.6.2).

—
The formats for time and date (7.27.3.5, 7.29.5.1).

—
Character mappings that are supported by the towctrans function
(7.30.1).

—
Character classifications that are supported by the iswctype function
(7.30.1).

J.5
Common extensions

1 The following extensions are widely used in many systems, but are not
portable to all

implementations.
The inclusion of any extension that may cause a strictly conforming

program
to become invalid renders an implementation nonconforming. Examples of such

extensions
are new keywords, extra library functions declared in standard headers, or

predefined
macros with names that do not begin with an underscore.

J.5.1
Environment arguments

1 In a hosted environment, the main function
receives a third argument, char *envp[],

that
points to a null-terminated array of pointers to char, each of
which points to a string

that
provides information about the environment for this execution of the program

(5.1.2.2.1).

J.5.2
Specialized identifiers

1 Characters other than the underscore _, letters,
and digits, that are not part of the basic

source
character set (such as the dollar sign $, or
characters in national character sets)

may
appear in an identifier (6.4.2).

J.5.3
Lengths and cases of identifiers

1 All
characters in identifiers (with or without external linkage) are significant
(6.4.2).

J.5.4 Scopes of identifiers

1 A function identifier, or
the identifier of an object the declaration of which contains the

keyword extern, has
file scope (6.2.1).

J.5.5 Writable string literals

1 String literals are
modifiable (in which case, identical string literals should denote distinct

objects) (6.4.5).

J.5.6 Other arithmetic types

1 Additional arithmetic
types, such as _ _int128 or double double, and their

appropriate conversions are
defined (6.2.5, 6.3.1). Additional floating types may have

more range or precision
than long double, may be
used for evaluating expressions of

other floating types, and
may be used to define float_t or double_t. Additional

floating types may also
have less range or precision than float.

J.5.7 Function pointer casts

1 A pointer to an object or
to void may be
cast to a pointer to a function, allowing data to

be invoked as a function
(6.5.4).

2 A pointer to a function
may be cast to a pointer to an object or to void, allowing a

function to be inspected or
modified (for example, by a debugger) (6.5.4).

J.5.8 Extended bit-field types

1 A bit-field may be
declared with a type other than _Bool, unsigned int, or

signed int, with
an appropriate maximum width (6.7.2.1).

J.5.9 The fortran
keyword

1 The fortran function
specifier may be used in a function declaration to indicate that

calls suitable for FORTRAN
should be generated, or that a different representation for the

external name is to be
generated (6.7.4).

J.5.10 The asm keyword

1 The asm keyword may be used to insert assembly language directly into the
translator

output (6.8). The most
common implementation is via a statement of the form:

asm ( character-string-literal );

J.5.11 Multiple
external definitions

1 There may be more than
one external definition for the identifier of an object, with or

without the explicit use of
the keyword extern; if the definitions disagree, or more than

one is initialized, the
behavior is undefined (6.9.2).

J.5.12 Predefined macro names

1 Macro names that do not
begin with an underscore, describing the translation and

execution environments, are
defined by the implementation before translation begins

(6.10.8).

J.5.13 Floating-point status flags

1 If any floating-point
status flags are set on normal termination after all calls to functions

registered by the atexit function
have been made (see 7.22.4.4), the implementation

writes some diagnostics
indicating the fact to the stderr stream, if it is still open,

J.5.14 Extra arguments for signal handlers

1 Handlers for specific
signals are called with extra arguments in addition to the signal

number (7.14.1.1).

J.5.15 Additional stream types and file-opening modes

1 Additional mappings from
files to streams are supported (7.21.2).

2 Additional file-opening
modes may be specified by characters appended to the mode

argument of the fopen function
(7.21.5.3).

J.5.16 Defined file position indicator

1 The file position
indicator is decremented by each successful call to the ungetc or

ungetwc function
for a text stream, except if its value was zero before a call (7.21.7.10,

7.29.3.10).

J.5.17 Math error reporting

1 Functions declared in <complex.h>
and <math.h> raise SIGFPE to report
errors

instead
of, or in addition to, setting errno or raising
floating-point exceptions (7.3,

7.12).