...
Do not reenter a function during the initialization of a static variable declaration. If a function is reentered during the constant initialization of a static object inside that function, the behavior of the program is undefined. Infinite recursion is not required to trigger undefined behavior, the function need only recur once as part of the initialization. Due to thread-safe initialization of variables, a single, recursive call will often result in a deadlock due to locking a non-recursive synchronization primitive.
Additionally, the C++ Standard, [basic.start.init], paragraph 2, states, in part:
Dynamic initialization of a non-local variable with static storage duration is either ordered or unordered. Definitions of explicitly specialized class template static data members have ordered initialization. Other class template static data members (i.e., implicitly or explicitly instantiated specializations) have unordered initialization. Other non-local variables with static storage duration have ordered initialization. Variables with ordered initialization defined within a single translation unit shall be initialized in the order of their definitions in the translation unit. If a program starts a thread, the subsequent initialization of a variable is unsequenced with respect to the initialization of a variable defined in a different translation unit. Otherwise, the initialization of a variable is indeterminately sequenced with respect to the initialization of a variable defined in a different translation unit. If a program starts a thread, the subsequent unordered initialization of a variable is unsequenced with respect to every other dynamic initialization. Otherwise, the unordered initialization of a variable is indeterminately sequenced with respect to every other dynamic initialization.
Do not create an initialization interdependency between static objects with dynamic initialization unless they are ordered with respect to one another. Unordered initialization, especially prevalent across translation unit boundaries, results in unspecified behavior.
Noncompliant Code Example
This noncompliant example attempts to implement an efficient factorial function using caching. Because the initialization of the static local array cache involves recursion, the behavior of the function is undefined, even though the recursion is not infinite.
...
In Microsoft Visual Studio 2015 and GCC 6.1.0, the recursive initialization of cache deadlocks while initializing the static variable in a thread-safe manner.
Compliant Solution
This compliant solution avoids initializing the static local array cache and instead relies on zero-initialization to determine whether each member of the array has been assigned a value yet and, if not, recursively compute its value. It then returns the cached value when possible or computes the value as needed.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdexcept>
int fact(int i) noexcept(false) {
if (i < 0) {
// Negative factorials are undefined.
throw std::domain_error("i must be >= 0");
}
// Use the lazy-initialized cache.
static int cache[17];
if (i < (sizeof(cache) / sizeof(int))) {
if (0 == cache[i]) {
cache[i] = i > 0 ? i * fact(i - 1) : 1;
}
return cache[i];
}
return i > 0 ? i * fact(i - 1) : 1;
}
|
Noncompliant Code Example
In this noncompliant code example, the initialization of foo relies on bar being previously initialized. However, bar may be uninitialized at the point when the constructor for S is called to construct foo because the dynamic initialization is not ordered between translation units.
| Code Block | ||||
|---|---|---|---|---|
| ||||
// File.h
struct S {
S();
void f();
};
// File1.cpp
#include "File.h"
S bar;
S::S() {
bar.f();
}
// File2.cpp
#include "File.h"
S foo;
// File3.cpp
#include "File.h"
extern S foo;
extern S bar;
int main() {
foo.f();
bar.f();
} |
Compliant Solution
This compliant solution ensures that both foo and bar are initialized in order by placing their definition in the same translation unit.
| Code Block | ||||
|---|---|---|---|---|
| ||||
// File.h
struct S {
S();
void f();
};
// File1.cpp
#include "File.h"
extern S bar;
S::S() {
bar.f();
}
// File2.cpp
#include "File.h"
S bar; // Ensure that bar is initialized before foo.
S foo;
// File3.cpp
#include "File.h"
extern S foo;
extern S bar;
int main() {
foo.f();
bar.f();
} |
Risk Assessment
Recursively reentering a function during the initialization of one of its static objects can result in an attacker being able to cause a crash or denial of service. Indeterminately ordered dynamic initialization can lead to undefined behavior due to accessing an uninitialized object.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| DCL56-CPP | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 14882-2014] | Subclause 3.6.2, "Initialization of Non-local Variables" Subclause 6.7, "Declaration Statement" |
...