An object that has volatile-qualified type may be modified in ways unknown to the implementation or have other unknown side effects. Referencing a volatile object by using a nonvolatile value results in undefined behavior. The C Standard, subclause 6.7.3 [ISO/IEC 9899:2011], states:
If an attempt is made to refer to an object defined with a volatile-qualified type through use of an lvalue with non-volatile-qualified type, the behavior is undefined.
(See also undefined behavior 65 in Annex J of the C Standard.)
Noncompliant Code Example
In this example, a volatile object is accessed through a non-volatile-qualified reference, resulting in undefined behavior:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> void func(void) { static volatile int **ipp; static int *ip; static volatile int i = 0; printf("i = %d.\n", i); ipp = &ip; /* Produces warnings in modern compilers */ ipp = (int**) &ip; /* Constraint violation; also produces warnings */ *ipp = &i; /* Valid */ if (*ip != 0) { /* Valid */ /* ... */ } } |
The assignment ipp = &ip
is unsafe because it would allow the valid code that follows to reference the value of the volatile object i
through the non-volatile-qualified reference ip
. In this example, the compiler may optimize out the entire if
block because i != 0
must be false if i
is not volatile.
Implementation Details
This example compiles without warning on Microsoft Visual Studio 2013 when compiled in C mode (/TC) but causes errors when compiled in C++ mode (/TP).
GCC 4.8.1 generates a warning but compiles successfully.
Compliant Solution
In this compliant solution, ip
is declared volatile:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> void func(void) { static volatile int **ipp; static volatile int *ip; static volatile int i = 0; printf("i = %d.\n", i); ipp = &ip; *ipp = &i; if (*ip != 0) { /* ... */ } } |
Risk Assessment
Casting away volatile allows access to an object through a nonvolatile reference and can result in undefined and perhaps unintended program behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP32-C | Low | Likely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
|
|
| |||||||
|
| Can detect violations of this rule when the | |||||||
| 344 S | Fully implemented | |||||||
PRQA QA-C |
| 0312 | Fully implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard | EXP32-CPP. Do not access a volatile object through a non-volatile reference |
ISO/IEC TR 24772:2013 | Pointer Casting and Pointer Type Changes [HFC] Type System [IHN] |
MISRA C:2012 | Rule 11.8 (required) |
Bibliography
[ISO/IEC 9899:2011] | Subclause 6.7.3, "Type Qualifiers" |