Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Iterators are a generalization of pointers that allow a C++ program to work with different data structures (containers) in a uniform manner [ISO/IEC 14882-2014]. Pointers, references, and iterators share a close relationship in which it is required that referencing values through such an object be done through a valid valueiterator, pointer, or reference. Storing an iterator, reference, or pointer to an element within a container for any length of time comes with a risk that the underlying container may be modified such that the stored value is invalidatediterator, pointer, or reference becomes invalid. For instance, when a sequence container such as std::vector requires an underlying reallocation, outstanding iterators, pointers, and references will be invalidated [Kalev 99]. Use only a valid pointer, reference, or iterator to refer to an element of a container.

According to the The C++ Standard, [container.requirements.general], paragraph 12 [ISO/IEC 14882-2014] states the following: 

Unless otherwise specified (either explicitly or by defining a function in terms of other functions), invoking a container member function or passing a container as an argument to a library function shall not invalidate iterators to, or change the values of, objects within that container.

The C++ Standard allows references and pointers to be invalidated independently for the same operation, which may result in an invalidated reference but not an invalidated pointer. However, relying on this distinction is insecure because the object pointed to by the pointer may be different than expected even if the pointer is valid. For instance, it is possible to retrieve a pointer to an element from a container, erase that element (invalidating references when destroying the underlying object), then insert a new element at the same location within the container causing the extant pointer to now point to a valid, but distinct object. Thus, any operation that invalidates a pointer or a reference should be treated as though it invalidates both pointers and references.

The following container functions can invalidate iterators, references, and /or pointers under certain circumstances:.

ClassFunctionIteratorsReferences
/PointersNotes
std::deque
  
    





insert(), emplace_front(), emplace_back(),
emplace(), push_front(), push_back()
XX
 

An insertion in the middle of the deque invalidates all the iterators and references to elements of the deque. An insertion at either end of the deque invalidates all the iterators to the deque but has no effect on the validity of references to elements of the deque. ([deque.modifiers], paragraph 1)

 


erase(), pop_back(), resize()XX
 

An erase operation that erases the last element of a deque invalidates only the past-the-end iterator and all iterators and references to the erased elements. An erase operation that erases the first element of a deque but not the last element invalidates only the erased elements. An erase operation that erases neither the first element nor the last element of a deque invalidates the past-the-end iterator and all iterators and references to all the elements of the deque. ([deque.modifiers], paragraph 4)

 


clear()
X
XX

Destroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100)

std::forward_list
      





erase_after(), pop_front(), resize()XX
 
erase_after shall invalidate only iterators and references to the erased elements. ([forwardlist.modifiers], paragraph 1)
 

remove(), unique()XX
 

Invalidates only the iterators and references to the erased elements. ([forwardlist.ops], paragraph 12 & paragraph 16)

 


clear()
X
XXDestroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100)
std::list
    
  





erase(), pop_front(), pop_back(), clear(), remove(), remove_if(), unique()XX
 
Invalidates only the iterators and references to the erased elements. ([list.modifiers], paragraph 3 and [list.ops], paragraph 15 & paragraph 19)
 

clear()XX
X
Destroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100)
std::vector
      





reserve()
X
XX

After reserve(), capacity() is greater or equal to the argument of reserve if reallocation happens and is equal to the previous value of capacity() otherwise. Reallocation invalidates all the references, pointers, and iterators referring to the elements in the sequence. ([vector.capacity], paragraph 3 & paragraph 6)

 

insert(), emplace_back(), emplace(), push_back()XX
 

Causes reallocation if the new size is greater than the old capacity. If no reallocation happens, all the iterators and references before the insertion point remain valid. ([vector.modifiers], paragraph 1). All iterators and references after the insertion point are invalidated.

 


erase(), pop_back(), resize()XX
 
Invalidates iterators and references at or after the point of the erase. ([vector.modifiers], paragraph 3)
 

clear()
X
XXDestroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100)
std::set, std::multiset, std::map, std::multimap
      





erase(), clear()XX
  
Invalidates only iterators and references to the erased elements. ([associative.reqmts], paragraph 9)

std::unordered_set, std::unordered_multiset, std::unordered_map, std::unordered_multimap

     





erase(), clear()XX
 
Invalidates only iterators and references to the erased elements. ([unord.req], paragraph 14)
 

insert(), emplace()X
  

The insert and emplace members shall not affect the validity of iterators if (N+n) < z * B, where N is the number of elements in the container prior to the insert operation, n is the number of elements inserted, B is the container’s bucket count, and z is the container’s maximum load factor. ([unord.req], paragraph 15)

 


rehash(), reserve()X
 
 

Rehashing invalidates iterators, changes ordering between elements, and changes which buckets the elements appear in but does not invalidate pointers or references to elements. ([unord.req], paragraph 9)

std::valarrayresize()
 X

XResizing invalidates all pointers and references to elements in the array. ([valarray.members], paragraph 12)

A std::basic_string object is also a container for to which this rule applies. For more specific information pertaining to std::basic_string containers, see STR52-CPP. Use valid references, pointers, and iterators to reference elements of a basic_string.

...

In this noncompliant code example, pos is invalidated after the first call to insert(), and subsequent loop iterations have undefined behavior:.

Code Block
bgColor#FFcccc
langcpp
#include <deque>
 
void f(const double *items, std::size_t count) {
  std::deque<double> d;
  auto pos = d.begin();
  for (std::size_t i = 0; i < count; ++i, ++pos) {
    d.insert(pos, items[i] + 41.0);
  }
}

...

In this compliant solution, pos is assigned a valid iterator on each insertion, preventing undefined behavior:.

Code Block
bgColor#ccccff
langcpp
#include <deque>
 
void f(const double *items, std::size_t count) {
  std::deque<double> d;
  auto pos = d.begin();
  for (std::size_t i = 0; i < count; ++i, ++pos) {
    pos = d.insert(pos, items[i] + 41.0);
  }
}

...

Code Block
bgColor#ccccff
langcpp
#include <deque><algorithm>
#include <algorithm><deque>
#include <iterator>
 
void f(const double *items, std::size_t count) {
  std::deque<double> d;
  std::transform(items, items + count, std::inserter(d, d.begin()),
                 [](double d) { return d + 41.0; });
}

Noncompliant Code Example

In this noncompliant code example, data is invalidated after the call to replace(), and so its use in g() is undefined behavior:

Code Block
bgColor#ffcccc
langcpp
#include <iostream>
#include <string>
 
extern void g(const char *);
 
void f(std::string &example_string) {
  const char *data = example_string.data();
  // ...
  example_string.replace(0, 2, "bb");
  // ...
  g(data);

}

Compliant Solution

In this compliant solution, the pointer to example_string's internal buffer is not generated until after the modifications from replace() have completed:

Code Block
bgColor#ccccff
langcpp
#include <iostream>
#include <string>

extern void g(const char *);

void f(std::string &example_string) {
  // ...
  example_string.replace(0, 2, "bb");
  // ...
  g(example_string.data());
}

Risk Assessment

Using invalid references, pointers, or iterators to reference elements of a container results in undefined behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CTR51-CPP

High

Probable

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

   

Astrée

Include Page
Astrée_V
Astrée_V

overflow_upon_dereference
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

ALLOC.UAF

Use After Free

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF4746, DF4747, DF4748, DF4749


Klocwork
Include Page
Klocwork_V
Klocwork_V

ITER.CONTAINER.MODIFIED


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_CPP-CTR51-a

Do not modify container while iterating over it
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: CTR51-CPP

Checks for use of invalid iterator (rule partially covered).

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V783
 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[ISO/IEC 14882-2014]

Clause 23, "Containers Library"
Subclause 24.2.1, "In General" 

[Kalev
99
1999]ANSI/ISO C++ Professional Programmer's Handbook
[Meyers
01
2001]Item 43, "Prefer Algorithm Calls to
Hand-written
Handwritten Loops"
[Sutter
04
2004]Item 84, "Prefer Algorithm Calls to Handwritten Loops"

...


...

Image Modified Image Modified Image Modified