SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 54

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 55

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An object that is accessed through a restrict-qualified pointer has a special association with that pointer. This association requires that all accesses to that object use, directly or indirectly, the value of that particular pointer. The intended use of the restrict qualifier is to promote optimization, and deleting all instances of the qualifier from a program does not change its meaning (that is, observable behavior). In the absence of this qualifier, other pointers can alias this object. Caching the value in an object designated through a restrict-qualified pointer is safe at the beginning of the block in which the pointer is declared, because no preexisting aliases may also be used to reference that object. The cached value must be restored to the object by the end of the block, where preexisting aliases again become available. New aliases may be formed within the block, but these must all depend on the value of the restrict-qualified pointer so that they can be identified and adjusted to refer to the cached value. For a restrict-qualified pointer at file scope, the block is the body of each function in the file [Walls 2006]. Developers should be aware that C++ does not support the restrict qualifier, but some C++ compiler vendors support implementations support an equivalent qualifier as an extension

The C Standard [ISO/IEC 9899:2011] identifies the following undefined behavior:

...

Noncompliant Code Example

In this noncompliant This code example , assignments between restricted is noncompliant because an assignment is made between two restrict-qualified pointers in the same scope is disallowed.: 

Code Block
bgColor#FFCCCC
langc
int *restrict a;
int *restrict b;

extern int c[];
 
int main(void) {
  c[0] = 17; 
  c[1] = 18;
  a = &c[0]; 
  b = &c[1];
  a = b; /* Undefined behavior */

  /* ... */
}

Note that that undefined behavior occurs only when a is assigned to b. It is valid for a and b to point into the same array object because what matters is which elements are accessed. Provided , provided the range of elements accessed through one of the pointers does not overlap with the range of elements accessed through the other pointer, there is no undefined behavior.

Compliant Solution

One way to eliminate the undefined behavior is simply to remove the restrict-qualification from the affected pointers:

Code Block
bgColor#ccccff
langc
int *a;
int *b;

extern int c[];
 
int main(void) {
  c[0] = 17; 
  c[1] = 18;
  a = &c[0]; 
  b = &c[1];
  a = b; /* Valid definedDefined behavior */

  /* ... */
}

restrict-Qualified Function Parameters

When calling functions that have restrict-qualified function parameters, it is important that pointers do  important that the pointer arguments do not reference overlapping objects if one or more of the objects the pointers are used to modify memory. ThusConsequently, it is important to understand the semantics of the function being called.

...

In this noncompliant code example, the function f() accepts three parameters. The function copies n integers from the int array referenced by the restrict-qualified pointer p to the int array referenced by the restrict-qualified pointer q. Because the object destination array is modified during each execution of the function (for which n is nonzero), if an object the array is accessed through one of the pointer parameters, it cannot also be accessed through the other. Declaring these function parameters as restrict-qualified pointers allows aggressive optimization by the compiler but can also result in undefined behavior if these pointers refer to overlapping objects.

Code Block
bgColor#FFCCCC
langc
#include <stddef.h>
void f(size_t n, int *restrict p, const int *restrict q) {
  while (n-- > 0) {
    *p++ = *q++;
  }
}
 
void g(void) {
  extern int d[100];

  /* ... */
  f(50, d + 1, d); /* Undefined behavior */
}

The function g() declares an array d consisting of 100 int values and then invokes f() to copy memory from one area of the array to another. This call has undefined behavior because each of d[1] through d[49] is accessed through both p and q .

Compliant Solution

In this compliant solution, the function f() is unchanged but the programmer has ensured that none of the calls to f() result in undefined behavior. The call of to f() in g() is valid because the storage allocated to d is effectively divided into two disjoint objects.

Code Block
bgColor#ccccff
langc
#include <stdlib<stddef.h>
void f(size_t n, int *restrict p, const int *restrict q) {
  while (n-- > 0) {
    *p++ = *q++;
  } 
}
 
void g(void) {
  extern int d[100];

  /* ... */
  f(50, d + 50, d); /* Valid definedDefined behavior  */
}

Noncompliant Code Example

In this noncompliant code example, the function add() adds the integer array referenced by the restrict-qualified pointers lhs to the integer array referenced by the restrict-qualified pointer rhs and stores the result in the restrict-qualified pointer referenced by res. The call add(100, a, a, a) The function f() declares an array a consisting of 100 int values and then invokes add() to copy memory from one area of the array to another. The call add(100, a, a, a) has undefined behavior because the object modified by res is accessed by lhs and rhs.

Code Block
bgColor#FFCCCC
langc
#include <stddef.h>
 
void add(size_t n, int *restrict res, const int *restrict lhs,
       const int *restrict rhs) {
  for (size_t i = 0; i < n; ++i) {
    res[i] = lhs[i] + rhs[i];
  }
}
 
void f(void) {
  int a[100]; 
  add(100, a, a, a); /* Undefined behavior */
}

The function f() declares an array a consisting of 100 int values and then invokes add() to copy memory from one area of the array to another. This call has undefined behavior because each of a[1] through a[49] is accessed through both lhs and rhs .

Compliant Solution

In this compliant solution, an unmodified object is aliased through two restricted pointers. Because a and b are disjoint arrays, a call of the form add(100, a, b, b) has defined behavior, because array b is not modified within function add.

Code Block
bgColor#ccccff
langc
#include <stddef.h>
void add(size_t n, int *restrict res, const int *restrict lhs,
         const int *restrict rhs) {
  for (size_t i = 0; i < n; ++i) {
    res[i] = lhs[i] + rhs[i];
  }
}
 
void f(void) {
   int a[100]; 
   int b[100];
   add(100, a, b, b); /* Valid definedDefined behavior  */
}

Invoking Library Functions with restrict-Qualified Pointers

...

If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. See (see also undefined behavior 68 in Appendix J of the C Standard). The result of the functions is unknown, and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove(), should be used.

...

Code Block
bgColor#FFCCCC
langc
#include <string.h>
 
void func(void) {
  char c_str[]= "test string";
  char *ptr1 = c_str;
  char *ptr2;

  ptr2 = ptr1 + 3;
  /* Undefined behavior duebecause toof overlapping objects */
  memcpy(ptr2, ptr1, 6);
  
  /* ... */
}

Compliant Solution

...

Code Block
bgColor#ccccff
langc
#include <string.h>

void func(void) {
  char c_str[]= "test string";
  char *ptr1 = c_str;
  char *ptr2;

  ptr2 = ptr1 + 3;
  memmove(ptr2, ptr1, 6);  /* Replace call to memcpy() */

  /* ... */
}

Similar solutions using memmove() can replace the string functions as long as care is taken regarding the byte size of the characters and proper null-termination of the copied string.

...

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>
 
void func(void) {
  int i;
  float x;
  char format[100] = "%s";
  /* Undefined behavior */
  int n = scanf(format, format + 2, &i, &x);
 
  /* ... */
}

Compliant Solution

The same intended results can be achieved as shown in are achieved by this compliant solution:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
void func(void) {
  int i;
  float x
  int n = scanf("%d%f", &i, &x); /* Valid definedDefined behavior  */
 
  /* ... */
}

Outer-to-Inner Assignments between Restricted Pointers

The assignment between restricted restrict-qualified pointers declared in an inner nested block from an outer block has well- defined behavior.

Noncompliant Code Example

...

Code Block
bgColor#FFCCCC
langc
void func(void) {
  int *restrict p1;
  int *restrict q1;

  int *restrict p2 = p1; /* Undefined behavior */ 
  int *restrict q2 = q1; /* Undefined behavior */ 
 }

Compliant Solution 

The same intended results can be achieved using a an inner nested block, as shown in this compliant solution:

Code Block
bgColor#ccccff
langc
void func(void) {
  int *restrict p1;   
  int *restrict q1;
  {  /* Added inner block */
    int *restrict p2 = p1;  /* Valid, well-defined behavior  */    
    int *restrict q2 = q1;  /* Valid, well-defined behavior  */ 
  }
}

Risk Assessment

The incorrect use of restrict-qualified pointers can result in undefined behavior that might be exploited to cause data integrity violations.

...

Bibliography

[ISO/IEC 9899:2011]Subclause 6.7.3.1, "Formal Definition of restrict
[Walls 2006] 

...