...
Comparing i-nodes using the st_ino fields and devices using the st_dev fields ensures that the file passed to lstat() is the same as the file passed to fstat() (see FIO05-AC. Identify files using multiple file attributes).
Automatic Detection
The tool Compass / ROSE does not currently detect TOCTOU race conditions; however it can be easily extended to do so. One must search for a call to open() or fopen(), and obtain the filename argument as well as the file descriptor return value. If the filename is a variable, the variable is referenced earlier in a function by stat() or lstat(), the file descriptor is assigned to a variable, but the variable is never the argument to a subsequent fstat() function call, then this rule is violated.
...