SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Valery

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An Every object has a lifetime in which it can be used in a storage duration that determines its lifetime. There are three storage durations: static, automatic, and allocated.

Wiki Markup
\[[ISO/IEC 14882-2003|AA. C++ References#ISO/IEC 14882-2003]\] Section 3.8, "Object Lifetime" describes a number of situations in which trying to access an object outside of its lifetime leads to undefined behavior.

Attempting to access an object outside of its lifetime can result in an exploitable vulnerability.

Noncompliant Code Example (Static Variables)

This noncompliant code example declares the variable p as a pointer to a constant char with file scope. The value of str is assigned to p within the dont_do_this() function. However, str has automatic storage duration, so the lifetime of str ends when the dont_do_this() function exits.

Code Block
bgColor#FFCCCC

const char *p;
void dont_do_this(void) {
    const char str[] = "This will change";
    p = str; /* dangerous */
    /* ... */
}

void innocuous(void) {
    const char str[] = "Surprise, surprise";
}
/* ... */
dont_do_this();
innocuous();
/* p might be pointing to "Surprise, surprise" */

As a result of this undefined behavior, it is likely that p will refer to the string literal "Surprise, surprise" after the call to the innocuous() function.

Compliant Solution (p with Block Scope)

well-defined manner. The lifetime of an object begins when sufficient, properly aligned storage has been obtained for it and its initialization is complete. The lifetime of an object ends when a nontrivial destructor, if any, is called for the object and the storage for the object has been reused or released. Use of an object, or a pointer to an object, outside of its lifetime frequently results in undefined behavior.

The C++ Standard, [basic.life], paragraph 5 [ISO/IEC 14882-2014], describes the lifetime rules for pointers:

Before the lifetime of an object has started but after the storage which the object will occupy has been allocated or, after the lifetime of an object has ended and before the storage which the object occupied is reused or released, any pointer that refers to the storage location where the object will be or was located may be used but only in limited ways. For an object under construction or destruction, see 12.7. Otherwise, such a pointer refers to allocated storage, and using the pointer as if the pointer were of type void*, is well-defined. Indirection through such a pointer is permitted but the resulting lvalue may only be used in limited ways, as described below. The program has undefined behavior if:
    — the object will be or was of a class type with a non-trivial destructor and the pointer is used as the operand of a delete-expression,
    — the pointer is used to access a non-static data member or call a non-static member function of the object, or
    — the pointer is implicitly converted to a pointer to a virtual base class, or
    — the pointer is used as the operand of a static_cast, except when the conversion is to pointer to cv void, or to pointer to cv void and subsequently to pointer to either cv char or cv unsigned char, or
    — the pointer is used as the operand of a dynamic_cast.

Paragraph 6 describes the lifetime rules for non-pointers:

Similarly, before the lifetime of an object has started but after the storage which the object will occupy has been allocated or, after the lifetime of an object has ended and before the storage which the object occupied is reused or released, any glvalue that refers to the original object may be used but only in limited ways. For an object under construction or destruction, see 12.7. Otherwise, such a glvalue refers to allocated storage, and using the properties of the glvalue that do not depend on its value is well-defined. The program has undefined behavior if:
    — an lvalue-to-rvalue conversion is applied to such a glvalue,
    — the glvalue is used to access a non-static data member or call a non-static member function of the object, or
    — the glvalue is bound to a reference to a virtual base class, or
    — the glvalue is used as the operand of a dynamic_cast or as the operand of typeid.

Do not use an object outside of its lifetime, except in the ways described above as being well-defined.

Noncompliant Code Example

In this noncompliant code example, a pointer to an object is used to call a non-static member function of the object prior to the beginning of the pointer's lifetime, resulting in undefined behavior.

Code Block
bgColor#FFCCCC
langcpp
struct S {
  void mem_fn();
};
 
void f() {
  S *s;
  s->mem_fn();
}

Compliant Solution

In this compliant solution, storage is obtained for the pointer prior to calling S::mem_fn().

Code Block
bgColor#ccccff
langcpp
struct S {
  void mem_fn();
};
 
void f() {
  S *s = new S;
  s->mem_fn();
  delete s;
}

An improved compliant solution would not dynamically allocate memory directly but would instead use an automatic local variable to obtain the storage and perform initialization. If a pointer were required, use of a smart pointer, such as std::unique_ptr, would be a marked improvement. However, these suggested compliant solutions would distract from the lifetime demonstration of this compliant solution and consequently are not shown.

Noncompliant Code Example

In this noncompliant code example, a pointer to an object is implicitly converted to a virtual base class after the object's lifetime has ended, resulting in undefined behavior.

Code Block
bgColor#FFCCCC
langcpp
struct B {};
 
struct D1 : virtual B {};
struct D2 : virtual B {};
 
struct S : D1, D2 {};
 
void f(const B *b) {}
 
void g() {
  S *s = new S;
  // Use s
  delete s;
 
  f(s);
}

Despite the fact that f() never makes use of the object, its being passed as an argument to f() is sufficient to trigger undefined behavior.

Compliant Solution

In this compliant solution, the lifetime of s is extended to cover the call to f().

Code Block
bgColor#ccccff
langcpp
struct B {};
 
struct D1 : virtual B {};
struct D2 : virtual B {};
 
struct S : D1, D2 {};
 
void f(const B *b) {}
 
void g() {
  S *s = new S;
  // Use s
  f(s);
 
  delete s;
}

Noncompliant Code Example

In this noncompliant code example, the address of a local variable is returned from f(). When the resulting pointer is passed to h(), the lvalue-to-rvalue conversion applied to i results in undefined behavior.

Code Block
bgColor#FFCCCC
langcpp
int *g() {
  int i = 12;
  return &i;
}
 
void h(int *i);
 
void f() {
  int *i = g();
  h(i);
}

Some compilers generate a diagnostic message when a pointer to an object with automatic storage duration is returned from a function, as in this example.

Compliant Solution

In this compliant solution, the local variable returned from g() has static storage duration instead of automatic storage duration, extending its lifetime sufficiently for use within fIn this compliant solution, p is declared with the same scope as str, preventing p from taking on an indeterminate value outside of this_is_OK().

Code Block
bgColor#ccccff
langcpp
int *g() {
void this_is_OK(void  static int i = 12;
  return &i;
}
 
void h(int *i);
 
void f() {
  int *i = constg();
 char str[] = "Everything OK";
    const char *p = str;
    /* ... */
}
/* p is inaccessible outside the scope of string str */

Compliant Solution (p with File Scope)

 h(i);
}

Noncompliant Code Example

std::initializer_list<> object is constructed from an initializer list as though the implementation allocated a temporary array and passed it to the std::initializer_list<> constructor. This temporary array has the same lifetime as other temporary objects except that initializing a std::initializer_list<> object from the array extends the lifetime of the array exactly like binding a reference to a temporary [ISO/IEC 14882-2014].

In this noncompliant code example, a member variable of type std::initializer_list<int> is list-initialized within the constructor's ctor-initializer. Under these circumstances, the conceptual temporary array's lifetime ends once the constructor exits, so accessing any elements of the std::initializer_list<int> member variable results in undefined behavior.

Code Block
bgColor#FFCCCC
langcpp
#include <initializer_list>
#include <iostream>

class C {
  std::initializer_list<int> l;
  
public:
  C() : l{1, 2, 3} {}
  
  int first() const { return *l.begin(); }
};

void f() {
  C c;
  std::cout << c.first();
}

Compliant Solution

In this compliant solution, the std::initializer_list<int> member variable is replaced with a std::vector<int>, which copies the elements of the initializer list to the container instead of relying on a dangling reference to the temporary arrayIf it is necessary for p to be defined with file scope, it can be set to NULL before str is destroyed. This prevents p from taking on an indeterminate value, although any references to p must check for NULL.

Code Block
bgColor#ccccff
langcpp
#include <iostream>
#include <vector>
 
class C {
  std::vector<int> l;
  
public:
  C() : l{1, 2, 3} {}
  
  int first() const { charreturn *p;
void is_this_OK(void) {
    const char str[] = "Everything OK?";
    p = str;
    /* ... */
    p = NULL;
}

Noncompliant Code Example (Return Values)

In this example, the function init_array() incorrectly returns a pointer to a local stack variable.

Code Block
bgColor#FFCCCC

char *init_array(void) {
   char array[10];
   /* Initialize array */
   return array;
}

Some compilers generate a warning when a pointer to an automatic variable is returned from a function, as in this example. Compile your code at high warning levels and resolve any warnings (see MSC00-CPP. Compile cleanly at high warning levels).

Compliant Solution (Return Values)

Correcting this example depends on the intent of the programmer. If the intent is to modify the value of array and have that modification persist outside of the scope of init_array(), the desired behavior can be achieved by declaring array elsewhere and passing it as an argument to init_array().

l.begin(); }
};
 
void f() {
  C c;
  std::cout << c.first();
}

Noncompliant Code Example

In this noncompliant code example, a lambda object is stored in a function object, which is later called (executing the lambda) to obtain a constant reference to a value. The lambda object returns an int value, which is then stored in a temporary int object that becomes bound to the const int & return type specified by the function object. However, the temporary object's lifetime is not extended past the return from the function object's invocation, which causes undefined behavior when the resulting value is accessed.

Page properties
hiddentrue

There is reflector discussion that this may wind up being a DR, however, there is implementation divergence on the behavior currently with Clang 3.7 reporting "42" and GCC reporting a random value. The discussion starts with c++std-lib-37670

Code Block
bgColor#FFCCCC
langcpp
#include <functional>
 
void f() {
  auto l = [](const int &j) { return j; };
  std::function<const int&(const int &)> fn(l);
 
  int i = 42;
  int j = fn(i);
}

Compliant Solution

In this compliant solution, the std::function object returns an int instead of a const int &, ensuring that the value is copied instead of bound to a temporary reference. An alternative solution would be to call the lambda directly instead of through the std::function<> object.

Code Block
bgColor#ccccff
langcpp
#include <functional>
 
void f() {
  auto l = [](const int &j) { return j; };
  std::function<int(const int &)> fn(l);
 
  int i = 42;
  int j = fn(i);
}

Noncompliant Code Example

In this noncompliant code example, the constructor for the automatic variable s is not called because execution does not flow through the declaration of the local variable due to the goto statement. Because the constructor is not called, the lifetime for s has not begun. Therefore, calling S::f() uses the object outside of its lifetime and results in undefined behavior.

Code Block
bgColor#FFcccc
langcpp
class S { 
  int v; 
 
public: 
  S() : v(12) {} // Non-trivial constructor 
 
  void f(); 
};   
 
void f() { 
 
  // ...   
 
  goto bad_idea;   
 
  // ... 
 
  S s; // Control passes over the declaration, so initialization does not take place.   
 
  bad_idea: 
    s.f(); 
}

Compliant Solution

This compliant solution ensures that s is properly initialized prior to performing the local jump.

Code Block
bgColor#ccccff
langcpp
class S { 
  int v; 
 
public: 
  S() : v(12) {} // Non-trivial constructor 
  
  void f(); 
};   
 
void f() { 
  S s; 
 
  // ... 
 
  goto bad_idea; 
 
  // ... 
 
  bad_idea: 
    s.f(); 
}

Noncompliant Code Example

In this noncompliant code example, f() is called with an iterable range of objects of type S. These objects are copied into a temporary buffer using std::copy(), and when processing of those objects is complete, the temporary buffer is deallocated. However, the buffer returned by std::get_temporary_buffer() does not contain initialized objects of type S, so when std::copy() dereferences the destination iterator, it results in undefined behavior because the object referenced by the destination iterator has yet to start its lifetime. This is because while space for the object has been allocated, no constructors or initializers have been invoked.

Code Block
bgColor#FFcccc
langcpp
#include <algorithm>
#include <cstddef>
#include <memory>
#include <type_traits>
 
class S {
  int i;

public:
  S() : i(0) {}
  S(int i) : i(i) {}
  S(const S&) = default;
  S& operator=(const S&) = default;
};

template <typename Iter>
void f(Iter i, Iter e) {
  static_assert(std::is_same<typename std::iterator_traits<Iter>::value_type, S>::value,
                "Expecting iterators over type S");
  ptrdiff_t count = std::distance(i, e);
  if (!count) {
    return;
  }
  
  // Get some temporary memory.
  auto p = std::get_temporary_buffer<S>(count);
  if (p.second < count) {
    // Handle error; memory wasn't allocated, or insufficient memory was allocated.
    return;
  }
  S *vals = p.first; 
  
  // Copy the values into the memory.
  std::copy(i, e, vals);
  
  // ...
  
  // Return the temporary memory.
  std::return_temporary_buffer(vals);
}

Implementation Details

A reasonable implementation of std::get_temporary_buffer() and std::copy() can result in code that behaves like the following example (with error-checking elided).

Code Block
unsigned char *buffer = new (std::nothrow) unsigned char[sizeof(S) * object_count];
S *result = reinterpret_cast<S *>(buffer);
while (i != e) {
  *result = *i; // Undefined behavior
  ++result;
  ++i;
}

The act of dereferencing result is undefined behavior because the memory pointed to is not an object of type S within its lifetime.

Compliant Solution (std::uninitialized_copy())

In this compliant solution, std::uninitialized_copy() is used to perform the copy, instead of std::copy(), ensuring that the objects are initialized using placement new instead of dereferencing uninitialized memory. Identical code from the noncompliant code example has been elided for brevity.

Code Block
bgColor#ccccff
langcpp
//...
  // Copy the values into the memory.
  std::uninitialized_copy(i, e, vals);
// ...

Compliant Solution (std::raw_storage_iterator)

This compliant solution uses std::copy() with a std::raw_storage_iterator as the destination iterator with the same well-defined results as using std::uninitialized_copy(). As with the previous compliant solution, identical code from the noncompliant code example has been elided for brevity.

Code Block
bgColor#ccccff
langcpp
//...
  // Copy the values into the memory.
  std::copy(i, e, std::raw_storage_iterator<S*, S>(vals));
// ...
Code Block
bgColor#ccccff

void init_array(char array[]) {
   /* Initialize array */
   return;
}

int main(int argc, char *argv[]) {
   char array[10];
   init_array(array);
   /* ... */
   return 0;
}

Risk Assessment

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL30

EXP54-CPP

high

High

probable

Probable

high

High

P6

L2

Automated Detection

The LDRA tool suite Version 7.6.0 can detect violations of this rule.

Fortify SCA Version 5.0 can detect violations when an array is declared in a function and then a pointer to that array is returned.

Splint Version 3.1.1 can detect violations of this rule.

Compass/ROSE can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.

The Coverity Prevent RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.

...

Tool

Version

Checker

Description

Astrée

Include Page
Astrée_V
Astrée_V

return-reference-local
dangling_pointer_use
Partially checked
Clang
Include Page
Clang_V
Clang_V

-Wdangling-initializer-list

Catches some lifetime issues related to incorrect use of std::initializer_list<>
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.UAC
ALLOC.UAF

Use after close
Use after free
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C++4003, C++4026

DF2812, DF2813, DF2814, DF2930, DF2931, DF2932, DF2933, DF2934,


Klocwork
Include Page
Klocwork_V
Klocwork_V
CL.FFM.ASSIGN
CL.FFM.COPY
LOCRET.ARG
LOCRET.GLOB
LOCRET.RET
UFM.DEREF.MIGHT
UFM.DEREF.MUST
UFM.FFM.MIGHT
UFM.FFM.MUST
UFM.RETURN.MIGHT
UFM.RETURN.MUST
UFM.USE.MIGHT
UFM.USE.MUST
UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST
UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST
LDRA tool suite
Include Page
LDRA_V
LDRA_V

42 D, 53 D, 77 D, 1 J, 71 S, 565 S

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_CPP-EXP54-a
CERT_CPP-EXP54-b
CERT_CPP-EXP54-c

Do not use resources that have been freed
The address of an object with automatic storage shall not be returned from a function
The address of an object with automatic storage shall not be assigned to another object that may persist after the first object has ceased to exist

Parasoft Insure++

Runtime detection
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C++: EXP54-CPP

Checks for:

  • Non-initialized variable or pointer
  • Use of previously freed pointer
  • Pointer or reference to stack variable leaving scope
  • Accessing object with temporary lifetime

Rule partially covered.

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V758V1041, V1099

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
return-reference-localPartially checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

...

SEI CERT C Coding Standard

DCL30-C. Declare objects with appropriate storage durations

...

References

...

Bibliography

[Coverity 2007]
[ISO/IEC

...

14882-

...

2014]Subclause 3.8,

...

"Object

...

Lifetime"
Subclause 8.5.4, "List-Initialization" 


...

Image Added Image Added Image Added \[[Henricson 97|AA. C++ References#Henricson 97]\] Rule 5.9, "A function must never return, or in any other way give access to, references or pointers to local variables outside the scope in which they are declared." \[[Lockheed Martin 05|AA. C++ References#Lockheed Martin 05]\] AV Rule 111, "A function shall not return a pointer or reference to a non-static local object." \[[ISO/IEC PDTR 24772|AA. C++ References#ISO/IEC PDTR 24772]\] "DCM Dangling references to stack frames" \[[MISRA 04|AA. C++ References#MISRA 04]\] Rule 8.6DCL17-CPP. Declare function parameters that are large data structures and are not changed by the function as const references      02. Declarations and Initialization (DCL)      DCL31-CPP. Do not define variadic functions