...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| CONCURRENCY.DATARACE | Data race | ||||||
| Coverity | 6.5 | MISSING_LOCK | Fully implemented |
Noncompliant Code Example (Double-Fetch)
This noncompliant code example illustrates Xen Security Advisory CVE-2015-8550 / XSA-155 In this example, the following code can be vulnerable to a data race where the integer referenced by ps could be modified by a second thread that ran between the two reads of the variable.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <stdlib.h>
void doStuff(int* ps) {
printf("NON-VOLATILE");
switch (*ps) {
case 0: {printf("0"); break;}
case 1: {printf("1"); break;}
case 2: {printf("2"); break;}
case 3: {printf("3"); break;}
case 4: {printf("4"); break;}
default: {printf("default"); break;}
}
}
|
Even though there is only one read of the *ps variable in the source code, the compiler is permitted to produce object code that performs multiple reads of the memory location. This is permitted by the "as-if" principle, as explained by section 5.1 of the C99 Rationale:
The /as if/ principle is invoked repeatedly in this Rationale. The C89 Committee found that describing various aspects of the C language, library, and environment in terms of concrete models best serves discussion and presentation. Every attempt has been made to craft these models so that implementations are constrained only insofar as they must bring about the same result, /as if/ they had implemented the presentation model; often enough the clearest model would make for the worst implementation.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...