...
The C Standard [ISO/IEC 9899:20112024] identifies the following undefined behavior:
A restrict-qualified pointer is assigned a value based on another restricted pointer whose associated block neither began execution before the block associated with this pointer, nor ended before the assignment (6.7.34.12).
This is an oversimplification, however, and it is important to review the formal definition of restrict in subclause 6.7.3.1 of the C Standard to properly understand undefined behaviors associated with the use of restrict-qualified pointers.
...
Noncompliant Code Example
In this noncompliant code example, the function f() accepts three parameters. The function copies n integers from the int array referenced by the restrict-qualified pointer p to the int array referenced by the restrict-qualified pointer q. Because the destination array is modified during each execution of the function (for which n is nonzero), if the array is accessed through one of the pointer parameters, it cannot also be accessed through the other. Declaring these function parameters as restrict-qualified pointers allows aggressive optimization by the compiler but can also result in undefined behavior if these pointers refer to overlapping objects.
...
Noncompliant Code Example
In this noncompliant code example, the function add() adds the integer array referenced by the restrict-qualified pointers lhs to the integer array referenced by the restrict-qualified pointer rhs and stores the result in the restrict-qualified pointer referenced by res. The function f() declares an array a consisting of 100 int values and then invokes add() to copy memory from one area of the array to another. The call add(100, a, a, a) has undefined behavior because the object modified by res is accessed by lhs and rhs.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void func(void) {
int i;
float x;
int n = scanf("%d%f", &i, &x); /* Defined behavior */
/* ... */
} |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported, but no explicit checkerrestrict | Supported indirectly via MISRA C 2012 Rule 8.14. | ||||||||||||
| CodeSonar |
| LANG.TYPE.RESTRICT | Restrict qualifier used | ||||||||||||
| Coverity |
| MISRA C 2012 Rule 8.14 | Partially implemented | ||||||||||||
| Cppcheck Premium |
| premium-cert-exp43-c | Partially implemented | ||||||||||||
| GCC | 8.1 | -Wrestrict | Fully implemented | ||||||||||||
| LDRA tool suiteHelix QAC |
| C1057 | |||||||||||||
| Klocwork |
| MISRA.TYPE.RESTRICT.QUAL.2012 | |||||||||||||
| LDRA tool suite |
| 480 S, 489 S, 613 S | Enhanced enforcement | ||||||||||||
| Parasoft C/C++test |
| CERT_C-EXP43-a | The restrict type qualifier shall not be used | ||||||||||||
| PC-lint Plus |
| CODSTA-121 | Fully implemented
| 586 | Assistance provided: reports use of the restrict keyword | ||||||||||
| Polyspace Bug Finder |
| MISRA 2012 Rule 8.14 | Source and destination arguments of a copy function have overlapping memory The restrict type qualifier shall not be used | PRQA QA-C | |||||||||||
| Include Page | PRQA QA-C_v | PRQA QA-C_v | Checks for copy of overlapping memory (rule partially covered) | ||||||||||||
| RuleChecker |
| restrict | Supported indirectly via MISRA C 2012 Rule 8.14. | 1057||||||||||||
| SonarQube C/C++ Plugin |
| S1836 | Implements MISRA C:2012 Rule 8.14 to flag uses of restrict |
Related Guidelines
Key here (explains table format and definitions)
...
Bibliography
| [ISO/IEC 9899:20112024] | 6.7.34.12, "Formal Definition of of restrict" |
| [Walls 2006] |
...