Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated UB references from C11->C23

...

This problem is often caused by a violation of aliasing rules. The C Standard, 6.5, paragraph 7 [ ISO/IEC 9899:20112024 ], specifies those circumstances in which an object may or may not be aliased.

An object shall have its stored value accessed only by an lvalue expression that has one of the following types:

  • a type compatible with the effective type of the object,
  • a qualified version of a type compatible with the effective type of the object, 
  • a type that is the signed or unsigned type corresponding to compatible with the underlying type of the effective type of the object, a type that is
  • the signed or unsigned type corresponding to compatible with a qualified version of the underlying type of the effective type of the object, 
  • an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), oror 
  • a character type. 

Noncompliant Code Example

...

Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
void func(void) {
  union {
    short a[2];
    int i;
  } u;

  u.a[0]=0x1111;
  u.a[1]=0x1111;
  u.i = 0x22222222;

  printf("%x %x\n", u.a[0], u.a[1]);

  /* ... */
}

The C standard states:

If the member used to read the contents of a union object is not the same as the member last used to store a value in the object, the appropriate part of the object representation of the value is reinterpreted as an object representation in the new type as described in 6.2.6 (a process sometimes called “type punning”). This might be a trap representation

The call to printf() printf() behavior in this compliant solution is unspecified, but it is commonly accepted as an implementation extension. (See unspecified behavior 11.)This function typically outputs "2222 2222". " However, there is no guarantee that this will be true, even on implementations that defined the unspecified behavior; values of type short need not have the same representation as values of type int.; the object representations of a and i are unspecified and need not be compatible in this way, despite this operation being commonly accepted as an implementation extension. (See unspecified behavior 11.)

Noncompliant Code Example

...

Code Block
bgColor#FFCCCC
langc
#include <stdlib.h>
 
struct gadget {
  int i;
  double d;
  char *p;
};
 
struct widget {
  char *q;
  int j;
  double e;
};
 
void func(void) {
  struct gadget *gp;
  struct widget *wp;
 
  gp = (struct gadget *)malloc(sizeof(struct gadget));
  if (!gp) {
    /* Handle error */
  }
  /* ... Initialize gadget ... */
  wp = (struct widget *)realloc(gp, sizeof(struct widget));
  if (!wp) {
    free(gp);
    /* Handle error */
  }
  if (wp->j == 12) {
    /* ... */
  }
  /* ... */
  free(wp);
}

Compliant Solution

This compliant solution reuses the memory from the gadget object but reinitializes the memory to a consistent state before reading from it:

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
#include <string.h>
 
struct gadget {
  int i;
  double d;
  char *p;
};
 
struct widget {
  char *q;
  int j;
  double e;
};
 
void func(void) {
  struct gadget *gp;
  struct widget *wp;
 
  gp = (struct gadget *)malloc(sizeof (struct gadget));
  if (!gp) {
    /* Handle error */
  }
  /* ... */
  wp = (struct widget *)realloc(gp, sizeof(struct widget));
  if (!wp) {
    free(gp);
    /* Handle error */
  }
  memset(wp, 0, sizeof(struct widget));
  /* ... Initialize widget ... */

  if (wp->j == 12) {
    /* ... */
  }
  /* ... */
  free(wp);
}

Noncompliant Code Example

According to the C Standard, 6.7.67.2 3 [ISO/IEC 9899:20112024], using two or more incompatible arrays in an expression is undefined behavior. (See also undefined behavior 7673.)

For two array types to be compatible, both should have compatible underlying element types, and both size specifiers should have the same constant value. If either of these properties is violated, the resulting behavior is undefined.

...

LDRALDRA94 S, 554 SParasoft C/C++testParasoftParasoft

Pointer dereferenced outside its bounds

Pointer implicitly cast to different data type

A cast shall a different 3017, 3030, 3033 

Tool

Version

Checker

Description

LDRA tool suiteCppcheck Premium

Include Page

Cppcheck Premium_V

Cppcheck Premium_V

premium-cert-exp39-cPartially implemented
Helix QAC

Include Page

Helix QAC_V

Helix QAC_V

CERT_C-EXP39-a
CERT_C-EXP39-b
CERT_C-EXP39-c
CERT_C-EXP39-d
CERT_C-EXP39-e
CERT_C-EXP39-f

There shall be no implicit conversions from integral to floating type
A cast should not be performed between a pointer to object type and a different pointer to object type
Avoid accessing arrays and pointers out of bounds
Avoid buffer overflow from tainted data due to defining incorrect format limits
Avoid buffer read overflow from tainted data
Avoid buffer write overflow from tainted data

Polyspace Bug Finder
Include Page
Polyspace Bug Finder_VPolyspace Bug Finder_V

C0310, C0751, C3305

C++3017, C++3030, C++3033


Klocwork

Include Page
Klocwork_V
Klocwork_V

MISRA.CAST.FUNC_PTR.2012
MISRA.CAST.INCOMPLETE_PTR_TO_ANY.2012
MISRA.CAST.OBJ_PTR_TO_NON_INT.2012
MISRA.CAST.OBJ_PTR_TO_OBJ_PTR.2012


LDRA tool suite
Include Page
LDRA_V
LDRA_V
94 S, 554 SPartially implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP39-a
CERT_C-EXP39-b
CERT_C-EXP39-c
CERT_C-EXP39-d
CERT_C-EXP39-e
CERT_C-EXP39-f

There shall be no implicit conversions from integral to floating type
A cast should

Pointer access out of bounds

Unreliable cast of pointer

MISRA C:2012 Rule 11.3

not be performed between a pointer to object type and a different pointer to

object type

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v

0310
3305

Partially implementedPRQA QA-C++4.1 

Avoid accessing arrays and pointers out of bounds
Avoid buffer overflow from tainted data due to defining incorrect format limits
Avoid buffer read overflow from tainted data
Avoid buffer write overflow from tainted data

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP39-C

Checks for cast to pointer pointing to object of different type (rule partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V580

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

[Acton 2006]"Understanding Strict Aliasing"
GCC Known Bugs"C Bugs, Aliasing Issues while Casting to Incompatible Types"
[ISO/IEC 9899:20112024]6.5, "Expressions"
6.7.67.23, "Array Declarators"
[Walfridsson 2003]Aliasing, Pointer Casts and GCC 3.3

...