Declaring function parameters const
indicates that the function promises not to change these values.
In C, function arguments are passed by value rather than by reference. While a function may change the values passed in, these changed values are discarded once the function returns. For this reason, many programmers assume a function will not change its arguments, and declaring the function's parameters as const
is unnecessary.
void foo(int x) { x = 3; /* persists only until the function exits */ /* ... */ }
Pointers behave in a similar fashion. A function may change a pointer to reference a different object, or NULL, yet that change is discarded once the function exits. Consequently, declaring a pointer as const
is unnecessary.
void foo(int *x) { x = NULL; /* persists only until the function exits */ /* ... */ }
Noncompliant Code Example
Unlike passed-by-value arguments and pointers, pointed-to values are a concern. A function may modify a value referenced by a pointer argument, leading to a side effect which persists even after the function exits. Modification of the pointed-to value is not diagnosed by the compiler, which assumes this was the intended behavior.
void foo(int *x) { if (x != NULL) { *x = 3; /* visible outside function */ } /* ... */ }
If the function parameter is const
-qualified, any attempt to modify the pointed-to value results in a fatal diagnostic.
void foo(const int *x) { if (x != NULL) { *x = 3; /* generates compiler error */ } /* ... */ }
As a result, the const
violation must be resolved before the code can be compiled.
Compliant Solution
This compliant solution addresses the const violation by not modifying the constant argument.
void foo(const int * x) { if (x != NULL) { printf("Value is %d\n", *x); } /* ... */ }
Noncompliant Code Example
This noncompliant code example defines a fictional version of the standard strcat()
function called strcat_nc()
. This function differs from strcat()
in that the second argument is not const
-qualified.
char *strcat_nc(char *s1, char *s2); char *str1 = "str1"; const char *str2 = "str2"; char str3[9] = "str3"; const char str4[9] = "str4"; strcat_nc(str3, str2); /* Compiler warns that str2 is const */ strcat_nc(str1, str3); /* Attempts to overwrite string literal! */ strcat_nc(str4, str3); /* Compiler warns that str4 is const */
The function behaves the same as strcat()
, but the compiler generates warnings in incorrect locations and fails to generate them in correct locations.
In the first strcat_nc()
call, the compiler generates a warning about attempting to cast away const on str2
. This is because strcat_nc()
does not modify its second argument, yet fails to declare it const
.
In the second strcat_nc()
call, the compiler compiles the code with no warnings, but the resulting code will attempt to modify the "str1"
literal. This violates recommendation STR05-C. Use pointers to const when referring to string literals and rule STR30-C. Do not attempt to modify string literals.
In the final strcat_nc()
call, the compiler generates a warning about attempting to cast away const
on str4
. This is a valid warning.
Compliant Solution
This compliant solution uses the prototype for the strcat()
from C90. Although the restrict
type qualifier did not exist in C90, const
did. In general, function parameters should be declared in a manner consistent with the semantics of the function. In the case of strcat()
, the initial argument can be changed by the function while the second argument cannot.
char *strcat(char *s1, const char *s2); char *str1 = "str1"; const char *str2 = "str2"; char str3[9] = "str3"; const char str4[9] = "str4"; strcat(str3, str2); /* Args reversed to prevent overwriting string literal */ strcat(str3, str1); strcat(str4, str3); /* Compiler warns that str4 is const */
The const
\qualification of the second argument s2
eliminates the spurious warning in the initial invocation but maintains the valid warning on the final invocation in which a const
-qualified object is passed as the first argument (which can change). Finally, the middle strcat()
invocation is now valid, as str3
is a valid destination string and may be safely modified.
Risk Assessment
Not declaring an unchanging value const
prohibits the function from working with values already cast as const
. This problem can be sidestepped by type casting away the const
, but doing so violates recommendation EXP05-C. Do not cast away a const qualification.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL13-C | low | unlikely | low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Compass/ROSE |
|
| can detect violations of this recommendation while checking for violations of recommendation DCL00-C. Const-qualify immutable objects |
9.7.1 | 62 D | Fully Implemented | |
1.2 | cnstpnte | Fully Implemented |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: DCL13-CPP. Declare function parameters that are pointers to values not changed by the function as const
ISO/IEC TR 24772 "CSJ Passing parameters and return values"