Do not cast away a const qualification on a variable type. Casting away the const qualification allows a program to modify a constant value, which results in undefined behavior.
As an illustration, C99 provides a footnote:
The implementation may place a
constobject that is not volatile in a read-only region of storage. Moreover, the implementation need not allocate storage for such an object if its address is never used.
Noncompliant Code Example
attempt to modify an object declared as const. The specification of const in variables and parameters implies to a maintainer or caller that, despite knowing some memory location, the code will not modify its content. Although C++ allows you to remove the specifier using typecasts, doing so violates the implication of the specifier.
Non-Compliant Code Example
In this example, the function fThe remove_spaces() function in this noncompliant code example accepts a pointer to a string str and a string length slen and removes the space character from the string by shifting the remaining characters toward the front of the string. The function remove_spaces() is passed a const char pointer as an argument. The const qualification is cast away and then the contents of the string are modified. It then typecasts the const specification away and proceeds to modify the contents.
| Code Block | ||
|---|---|---|
| ||
void remove_spacesf(char const char *str, size_tint slen) { char *p = (char *)strconst_cast<char*>(str); size_t int i; for (i = 0; i < slen && str[i]; i++) { if (str[i] != ' ') *p++ = str[i]; } *p = '\0'; } |
Compliant Solution
In this compliant solution, the function remove_spaces() f is passed a non-const char pointer. The calling function must ensure that the null-terminated byte string passed to the function is not const by making a copy of the string or by other means.
| Code Block | ||
|---|---|---|
| ||
void remove_spacesf(char *str, size_tint slen) { char *p = str; size_tint i; for (i = 0; i < slen && str[i]; i++) { if (str[i] != ' ') *p++ = str[i]; } *p = '\0'; } |
...
Non-Compliant Code Example
In this noncompliant code example, the contents of the a const int array vals are cleared by the call to memset() is declared, and then its content is modified by calling memset with the function, leading to values of 0 in the vals array.
| Code Block | ||
|---|---|---|
| ||
int const int vals[3] = {3, 4, 5}; memset((int*) vals, 0, sizeof(vals)); |
Because the memset() function takes a (non-const) pointer to void, the compiler must implicitly cast away const.
Implementation Details
The compiler GCC issues a warning when an implicit cast is performed.
Compliant Solution
If the intention is to allow the array values to be modified, do not declare the array as const.
| Code Block | ||
|---|---|---|
| ||
int vals[3] = {3, 4, 5};
memset(vals, 0, sizeof(vals));
|
...
| Code Block |
|---|
/* Legacy function defined elsewhere - cannot be modified */
void audit_log(char *errstr) {
fprintf(stderr, "Error: %s.\n", errstr);
}
/* ... */
const char INVFNAME[] = "Invalid file name.";
audit_log((char *)INVFNAMEconst_cast<char*>(INVFNAME)); /* EXP05-EX1 */
/* ... */
|
Risk Assessment
If the object really is constant, the compiler may allocate storage have put it in ROM or write-protected memory. Attempting Trying to modify such an object may lead to a program crash or . This could allow an attacker to mount a denial-of-service attack.
...
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899:199914882-2003|AA. C++ References#ISO/IEC 989914882-19992003]\] SectionSections 63.79.3, "Type qualifiers" \[[ISO/IEC PDTR 24772|AA. C++ References#ISO/IEC PDTR 24772]\] "HFC Pointer casting and pointer type changes" and "IHN Type system" \[[MISRACV-qualifiers and 3.10 Lvalues and rvalues (para. 13). \[[Sutter 04|AA. C++ References#MISRAReferences#Sutter 04]\] Rule 11.5 Item 94: Avoid casting away const. |
...
EXP04-CPP. Do not perform byte-by-byte comparisons between classes or structs 03. Expressions (EXP) EXP06-CPP. Operands to the sizeof operator should not contain side effects