Iterators are a generalization of pointers that allow a C++ program to work with different data structures (containers) in a uniform manner [ISO/IEC 14882-2014]. Pointers, references, and iterators share a close relationship in which it is required that referencing values be done through a valid iterator, pointer, or reference. Storing an iterator, reference, or pointer to an element within a container for any length of time comes with a risk that the underlying container may be modified such that the stored iterator, pointer, or reference becomes invalid. For instance, when a sequence container such as std::vector
requires an underlying reallocation, outstanding iterators, pointers, and references will be invalidated [Kalev 99]. Use only a valid pointer, reference, or iterator to refer to an element of a container.
The C++ Standard, [container.requirements.general], paragraph 12 [ISO/IEC 14882-2014] states the following:
Unless otherwise specified (either explicitly or by defining a function in terms of other functions), invoking a container member function or passing a container as an argument to a library function shall not invalidate iterators to, or change the values of, objects within that container.
The C++ Standard allows references and pointers to be invalidated independently for the same operation, which may result in an invalidated reference but not an invalidated pointer. However, relying on this distinction is insecure because the object pointed to by the pointer may be different than expected even if the pointer is valid. For instance, it is possible to retrieve a pointer to an element from a container, erase that element (invalidating references when destroying the underlying object), then insert a new element at the same location within the container causing the extant pointer to now point to a valid, but distinct object. Thus, any operation that invalidates a pointer or a reference should be treated as though it invalidates both pointers and references.
The following container functions can invalidate iterators, references, and pointers under certain circumstances.
Class | Function | Iterators | References/Pointers | Notes |
---|---|---|---|---|
std::deque | ||||
insert() , emplace_front() , emplace_back() ,emplace() , push_front() , push_back() | X | X | An insertion in the middle of the deque invalidates all the iterators and references to elements of the deque. An insertion at either end of the deque invalidates all the iterators to the deque but has no effect on the validity of references to elements of the deque. ([deque.modifiers], paragraph 1) | |
erase() , pop_back() , resize() | X | X | An erase operation that erases the last element of a deque invalidates only the past-the-end iterator and all iterators and references to the erased elements. An erase operation that erases the first element of a deque but not the last element invalidates only the erased elements. An erase operation that erases neither the first element nor the last element of a deque invalidates the past-the-end iterator and all iterators and references to all the elements of the deque. ([deque.modifiers], paragraph 4) | |
clear() | X | X | Destroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100) | |
std::forward_list | ||||
erase_after() , pop_front() , resize() | X | X | erase_after shall invalidate only iterators and references to the erased elements. ([forwardlist.modifiers], paragraph 1) | |
remove() , unique() | X | X | Invalidates only the iterators and references to the erased elements. ([forwardlist.ops], paragraph 12 & paragraph 16) | |
clear() | X | X | Destroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100) | |
std::list | ||||
erase() , pop_front() , pop_back() , clear() , remove() , remove_if() , unique() | X | X | Invalidates only the iterators and references to the erased elements. ([list.modifiers], paragraph 3 and [list.ops], paragraph 15 & paragraph 19) | |
clear() | X | X | Destroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100) | |
std::vector | ||||
reserve() | X | X | After | |
insert() , emplace_back() , emplace() , push_back() | X | X | Causes reallocation if the new size is greater than the old capacity. If no reallocation happens, all the iterators and references before the insertion point remain valid. ([vector.modifiers], paragraph 1). All iterators and references after the insertion point are invalidated. | |
erase() , pop_back() , resize() | X | X | Invalidates iterators and references at or after the point of the erase. ([vector.modifiers], paragraph 3) | |
clear() | X | X | Destroys all elements in the container. Invalidates all references, pointers, and iterators referring to the elements of the container and may invalidate the past-the-end iterator. ([sequence.reqmts], Table 100) | |
std::set , std::multiset , std::map , std::multimap | ||||
erase() , clear() | X | X | Invalidates only iterators and references to the erased elements. ([associative.reqmts], paragraph 9) | |
| ||||
erase() , clear() | X | X | Invalidates only iterators and references to the erased elements. ([unord.req], paragraph 14) | |
insert() , emplace() | X | The | ||
rehash() , reserve() | X | Rehashing invalidates iterators, changes ordering between elements, and changes which buckets the elements appear in but does not invalidate pointers or references to elements. ([unord.req], paragraph 9) | ||
std::valarray | resize() | X | Resizing invalidates all pointers and references to elements in the array. ([valarray.members], paragraph 12) |
A std::basic_string
object is also a container to which this rule applies. For more specific information pertaining to std::basic_string
containers, see STR52-CPP. Use valid references, pointers, and iterators to reference elements of a basic_string.
Noncompliant Code Example
In this noncompliant code example, pos
is invalidated after the first call to insert()
Wiki Markup |
---|
Reallocation can occur when a member function modifies its container. Modifying member functions include {{reserve()}} and {{resize()}}, {{push_back()}}, {{pop_back()}}, {{erase()}}, {{clear()}}, {{insert()}}, and others. In addition, assignment operations and modifying algorithms can also cause reallocation. When a container reallocates its elements, their addresses change. Consequently, the values of existing iterators are invalidated \[[Kalev 99|AA. C++ References#Kalev 99]\]. Using invalid iterators yields undefined results. (This problem is also discussed in [DAN33-C|DAN33-C. Do not use invalid iterators].) |
Non-Compliant Code Example
In this example, the iterator pos
is invalidated after the call to insert, and subsequent loop iterations have undefined behavior.
Code Block | ||||
---|---|---|---|---|
| ||||
double data[5] = { 2.3, 3.7, 1.4, 0.8, 9.6 }; #include <deque> void f(const double *items, std::size_t count) { std::deque<double> d; deque<double>::iterator auto pos = d.begin(); for (std::size_t i = 0; i < 5count; ++i, ++pos) { d.insert(pos++, dataitems[i] + 41.0); } } |
Compliant Solution
...
(Updated Iterator)
In this compliant solution, pos
is assigned a valid iterator on each insertion, preventing undefined behavior.Update pos
each time insert is called to keep the iterators valid, and then increment it:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <deque> double data[5] = { 2.3, 3.7, 1.4, 0.8, 9.6 }; void f(const double *items, std::size_t count) { std::deque<double> d; deque<double>::iterator auto pos = d.begin(); for (std::size_t i = 0; i < 5count; ++i, ++pos) { pos = d.insert(pos, dataitems[i] + 41.0); ++pos;} } |
Compliant Solution
...
(Generic Algorithm)
This compliant solution replaces the handwritten loop with the generic standard template library algorithm std::transform()
. The call to std::transform()
accepts the range of elements to transform, the location to store the transformed values (which, in this case, is a std::inserter
object to insert them at the beginning of d
), and the transformation function to apply (which, in this case, is a simple lambda)Use an algorithm.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <algorithm> double data[5] = { 2.3, 3.7, 1.4, 0.8, 9.6 }; #include <deque> #include <iterator> void f(const double *items, std::size_t count) { std::deque<double> d; std::transform(dataitems, dataitems +5 count, std::inserter(d, d.begin()), bind2nd(plus<int>(), 41)); [](double d) { return d + 41.0; }); } |
Risk Assessment
Using invalid iterators yields undefined resultsreferences, pointers, or iterators to reference elements of a container results in undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
STL30-C
1 (low)
2 (probable)
1 (high)
P2
L3
References
- Meyers 01 Item 43: Prefer algorithm calls to hand-written loops.
- Sutter 04 Item 84: Prefer algorithm calls to handwritten loops.
CTR51-CPP | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| overflow_upon_dereference | |||||||
CodeSonar |
| ALLOC.UAF | Use After Free | ||||||
Helix QAC |
| DF4746, DF4747, DF4748, DF4749 | |||||||
Klocwork |
| ITER.CONTAINER.MODIFIED | |||||||
Parasoft C/C++test |
| CERT_CPP-CTR51-a | Do not modify container while iterating over it | ||||||
Polyspace Bug Finder |
| CERT C++: CTR51-CPP | Checks for use of invalid iterator (rule partially covered). | ||||||
PVS-Studio |
| V783 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | STR52-CPP. Use valid references, pointers, and iterators to reference elements of a basic_string |
Bibliography
...
[ISO/IEC 14882-2014] | Clause 23, "Containers Library" |
[Kalev 1999] |
ANSI/ISO C++ Professional Programmer's Handbook |
...
[Meyers 2001] | Item 43, "Prefer Algorithm Calls to Handwritten Loops" |
[Sutter 2004] | Item 84, "Prefer Algorithm Calls to Handwritten Loops" |
...
...