Page History

Some functions in the C standard library are not guaranteed to be reentrant with respect to threads. Some functions (such as strtok() and asctime()) return a pointer to the result stored in memory allocated by the function function-allocated memory on a per-process basis. Other functions (such as strtok() and asctimerand()) while some functions store state information in memory allocated by the function function-allocated memory on a per-process basis(such as rand()). Multiple threads invoking the same function can cause concurrency problems. Concurrency problems can , which often result in abnormal behavior , but it is possible for them to result in and can cause more serious vulnerabilities such as abnormal termination, denial-of-service attack, and data integrity violationviolations.

As per the N1401-C1X document, the following library functions are not required to avoid data races:

• rand()
• getenv()
• strtok()
• strerror()
• asctime()
• ctime()

Section 2.9.1 of the System Interfaces volume of POSIX.1-2008 has a much longer list , in section 2.9.1 of the System Interfaces volume, of functions that are not required to be thread-safe.

Non-Compliant Code Example

Consider a multithreaded application which that encounters an error while calling a system function. The strerror() function returns a human-readable error string given an error number. According to C99, Section 7.22.6.2 specifically states that strerror() is not required to avoid data races. Conventionally it could rely on a static array that maps error numbers to error strings, and said that array might be accessible and modifiable by other threads.

...

Race conditions caused by multiple threads invoking the same library function can lead to abnormal termination of the application, data integrity violations, or denial-of-service attack.

Automated Detection

A module can be written in Compass/ROSE to can detect violations of this rule.

...