Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated UB references from C11->C23

...

A restrict-qualified pointer is assigned a value based on another restricted pointer whose associated block neither began execution before the block associated with this pointer, nor ended before the assignment (6.7.34.12).

This is an oversimplification, however, and it is important to review the formal definition of restrict in subclause 6.7.3.1 of the C Standard to properly understand undefined behaviors associated with the use of restrict-qualified pointers.

...

Noncompliant Code Example

In this noncompliant code example, the function f() accepts three parameters. The function copies n integers from the int array referenced by the restrict-qualified pointer p to the int array referenced by the restrict-qualified pointer q. Because the destination array is modified during each execution of the function (for which n is nonzero), if the array is accessed through one of the pointer parameters, it cannot also be accessed through the other. Declaring these function parameters as restrict-qualified pointers allows aggressive optimization by the compiler but can also result in undefined behavior if these pointers refer to overlapping objects.

...

Noncompliant Code Example

In this noncompliant code example, the function add() adds the integer array referenced by the restrict-qualified pointers lhs to the integer array referenced by the restrict-qualified pointer rhs and stores the result in the restrict-qualified pointer referenced by res. The function f() declares an array a consisting of 100 int values and then invokes add() to copy memory from one area of the array to another. The call add(100, a, a, a) has undefined behavior because the object modified by res is accessed by lhs and rhs.

...

Ensure that restrict-qualified source and destination pointers do not reference overlapping objects when invoking library functions. For example, the following table lists C standard library functions that copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer: 

Standard CAnnex K
strcpy()strcpy_s()
strncpy()strncpy_s()
strcat()strcat_s()
strncat()strncat_s()
memcpy()memcpy_s()
 

strtok_s()

If the objects referenced by arguments to functions overlap (meaning the objects share some common memory addresses), the behavior is undefined. (See also undefined behavior 6865.) The result of the functions is unknown, and data may be corrupted. As a result, these functions must never be passed pointers to overlapping objects. If data must be copied between objects that share common memory addresses, a copy function guaranteed to work on overlapping memory, such as memmove(), should be used.

...

Ensure that functions that accept a restrict-qualified pointer to a const-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this description. The following table lists of some of the common functions for which the format argument is a restrict-qualified pointer to a const-qualified type.

Standard CAnnex K
printf()printf_s()
scanf()scanf_s()
sprintf()sprintf_s()
snprintf()snprintf_s() 

For formatted output functions such as printf(), it is unlikely that a programmer would modify the format string. However, an attacker may attempt to do so if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string. 

...

Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
void func(void) {
  int i;
  float x;
  int n = scanf("%d%f", &i, &x); /* Defined behavior  */ 
  /* ... */
}

...

The incorrect use of restrict-qualified pointers can result in undefined behavior that might be exploited to cause data integrity violations.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP43-C

Medium

Probable

High

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
restrictSupported indirectly via MISRA C 2012 Rule 8.14.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.TYPE.RESTRICTRestrict qualifier used
Coverity
Include Page
Coverity_V
Coverity_V

MISRA C 2012 Rule 8.14

Partially implemented
LDRA tool suite
Cppcheck Premium

Include Page

LDRA

Cppcheck Premium_V

LDRA

Cppcheck Premium_V

480 S, 489 S, 613 S

Enhanced enforcementParasoft C/C++test9.5CODSTA-121Fully implementedPolyspace Bug FinderR2016aCopy of overlapping memorySource and destination arguments of a copy function have overlapping memoryPRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v1057 
premium-cert-exp43-cPartially implemented
GCC8.1-WrestrictFully implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1057
Klocwork

Include Page
Klocwork_V
Klocwork_V

MISRA.TYPE.RESTRICT.QUAL.2012
LDRA tool suite
Include Page
LDRA_V
LDRA_V

480 S, 489 S, 613 S

Enhanced enforcement
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP43-a

The restrict type qualifier shall not be used
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Assistance provided: reports use of the restrict keyword

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP43-C

Checks for copy of overlapping memory (rule partially covered)

RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

restrictSupported indirectly via MISRA C 2012 Rule 8.14.
SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
S1836Implements MISRA C:2012 Rule 8.14 to flag uses of restrict

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardFIO30-C. Exclude user input
from format strings 
from format stringsPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Passing Parameters and Return Values [CSJ]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Passing pointers into the same object as arguments to different restrict-qualified parameters [restrict]Prior to 2018-01-12: CERT: Unspecified Relationship
MISRA C:2012
Rule 8
Rule 8.14 (required)1Prior to 2018-01-12: CERT: Unspecified Relationship
  1. MISRA Rule 8.14 prohibits the use of the restrict keyword except in C standard library functions. 

Bibliography

[ISO/IEC 9899:
2011
2024]6.7.
3
4.
1
2, "Formal Definition
of 
of restrict
[Walls 2006]
 

...



...

Image Modified Image Modified Image Modified