SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

According to C99 [[ISO/IEC 9899-1999]] Section 6.7.3, "Type qualifiers," Paragraph 5:

If an attempt is made to refer to an object defined with a volatile-qualified type through use of an lvalue with non-volatile-qualified type, the behavior is undefined.

This also applies to objects that behave as if they were defined with qualified types, such as an object at a memory-mapped input/output address.

Non-Compliant Code Example

In this example, a volatile object is accessed through a non-volatile-qualified reference, resulting in undefined behavior.

static volatile int **ipp;
static int *ip;
static volatile int i = 0;

printf("i = %d.\n", i);

ipp = &ip; /* constraint violation */
*ipp = &i; /* valid */
if (*ip != 0) { /* valid */
  /* ... */
}

The assignment ipp = &ip is unsafe because it would allow the valid code that follows to reference the value of the volatile object i through the non-volatile qualified reference ip. In this example, the compiler may optimize out the entire if block because it is not possible that i != 0 if i is not volatile.

Implementation Details

This example compiles without warning on Microsoft Visual C++ .NET (2003) and on MS Visual Studio 2005. 

This example does not compile on MS Visual Studio 2008. The error message is

error C2440: '=' : cannot convert from 'int **' to 'volatile int **'

Version 3.2.2 and Version 4.1.3 of the GCC compiler generate a warning, but they compile.

Compliant Solution

In this compliant solution, ip is declared as volatile.

static volatile int **ipp;
static volatile int *ip;
static volatile int i = 0;

printf("i = %d.\n", i);

ipp = &ip;
*ipp = &i;
if (*ip != 0) {
  /* ... */
}

Risk Assessment

Accessing a volatile object through a non-volatile reference can result in undefined and perhaps unintended program behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP32-C

1 (low)

3 (likely)

2 (medium)

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[ISO/IEC 9899-1999]] Section 6.7.3, "Type qualifiers," and Section 6.5.16.1, "Simple assignment"
[[ISO/IEC PDTR 24772]] "HFC Pointer casting and pointer type changes"
[[MISRA 04]] Rule 11.5

EXP31-C. Do not modify constant values      03. Expressions (EXP)       EXP33-C. Do not reference uninitialized variables

  • No labels