An object that is accessed through a restrict-qualified pointer has a special association with that pointer. This association requires that all accesses to that object use, directly or indirectly, the value of that particular pointer. The intended use of the restrict qualifier is to promote optimization, and deleting all instances of the qualifier from a program does not change its meaning (that is, observable behavior). In the absence of this qualifier, other pointers can alias this object. Caching the value in an object designated through a restrict-qualified pointer is safe at the beginning of the block in which the pointer is declared , because no preexisting aliases may also be used to reference that object. The cached value must be restored to the object by the end of the block, where preexisting aliases again become available. New aliases may be formed within the block, but these must all depend on the value of the restrict-qualified pointer so that they can be identified and adjusted to refer to the cached value. For a restrict-qualified pointer at file scope, the block is the body of each function in the file [Walls 2006]. Developers should be aware that C++ does not support the restrict qualifier, but some C++ compiler implementations support an equivalent qualifier as an extension.
The C Standard [ISO/IEC 9899:20112024] identifies the following undefined behavior:
A restrict-qualified pointer is assigned a value based on another restricted pointer whose associated block neither began execution before the block associated with this pointer, nor ended before the assignment (6.7.34.12).
This is an oversimplification, however, and it is important to review the formal definition of restrict in subclause 6.7.3.1 of the C Standard to properly understand undefined behaviors associated with the use of restrict-qualified pointers.
...
Noncompliant Code Example
In this noncompliant code example, the function f() accepts three parameters. The function copies n integers from the int array referenced by the restrict-qualified pointer p to the int array referenced by the restrict-qualified pointer q. Because the destination array is modified during each execution of the function (for which n is nonzero), if the array is accessed through one of the pointer parameters, it cannot also be accessed through the other. Declaring these function parameters as restrict-qualified pointers allows aggressive optimization by the compiler but can also result in undefined behavior if these pointers refer to overlapping objects.
...
Noncompliant Code Example
In this noncompliant code example, the function add() adds the integer array referenced by the restrict-qualified pointers lhs to the integer array referenced by the restrict-qualified pointer rhs and stores the result in the restrict-qualified pointer referenced by res. The function f() declares an array a consisting of 100 int values and then invokes add() to copy memory from one area of the array to another. The call add(100, a, a, a) has undefined behavior because the object modified by res is accessed by lhs and rhs.
...
Ensure that restrict-qualified source and destination pointers do not reference overlapping objects when invoking library functions. For example, the following table lists C standard library functions that copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer:
| Standard C | Annex K |
|---|---|
strcpy() | strcpy_s() |
strncpy() | strncpy_s() |
strcat() | strcat_s() |
strncat() | strncat_s() |
memcpy() | memcpy_s() |
strtok_s() |
If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. (see See also undefined behavior 68.) . The result of the functions is unknown, and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove(), should be used.
...
Ensure that functions that accept a restrict-qualified pointer to a const-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following table lists of some of the common functions for which the format argument is a restrict-qualified pointer to a const-qualified type.
| Standard C | Annex K |
|---|---|
printf() | printf_s() |
scanf() | scanf_s() |
sprintf() | sprintf_s() |
snprintf() | snprintf_s() |
For formatted output functions such as printf(), it is unlikely that a programmer would modify the format string. However, an attacker may attempt to do so if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void func(void) {
int i;
float x;
int n = scanf("%d%f", &i, &x); /* Defined behavior */
/* ... */
} |
...
The incorrect use of restrict-qualified pointers can result in undefined behavior that might be exploited to cause data integrity violations.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP43-C | Medium | Probable | High | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description |
|---|
| Astrée |
|
|
|
480 S, 489 S, 613 S
| restrict | Supported indirectly via MISRA C 2012 Rule 8.14. | ||||||||
| CodeSonar |
| LANG.TYPE.RESTRICT | Restrict qualifier used | ||||||
| Coverity |
| MISRA C 2012 Rule 8.14 | Partially implemented | ||||||
| Cppcheck Premium |
| premium-cert-exp43-c | Partially implemented | ||||||
| GCC | 8.1 | -Wrestrict | Fully implemented | ||||||
| Helix QAC |
| C1057 | |||||||
| Klocwork |
| MISRA.TYPE.RESTRICT.QUAL.2012 | |||||||
| LDRA tool suite |
| 480 S, 489 S, 613 S | Enhanced enforcement | ||||||
| Parasoft C/C++test |
| CERT_C-EXP43-a | The restrict type qualifier shall not be used | ||||||
| PC-lint Plus |
| 586 | Assistance provided: reports use of the restrict keyword | ||||||
| Polyspace Bug Finder |
| Checks for copy of overlapping memory (rule partially covered) | |||||||
| RuleChecker |
| restrict | Supported indirectly via MISRA C 2012 Rule 8.14. | ||||||
| SonarQube C/C++ Plugin |
|
| S1836 | Implements MISRA C:2012 Rule 8.14 to flag uses of restrict |
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | FIO30-C. Exclude user input |
| from format strings | Prior to 2018-01-12: CERT: Unspecified Relationship | |
| ISO/IEC TR 24772:2013 | Passing Parameters and Return Values [CSJ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Passing pointers into the same object as arguments to different restrict-qualified parameters [restrict] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 |
| Rule 8.14 (required)1 | Prior to 2018-01-12: CERT: Unspecified Relationship |
- MISRA Rule 8.14 prohibits the use of the restrict keyword except in C standard library functions.
Bibliography
...
...