Page History

...

int ar[20];

for (int *ip = &ar[0]; ip < &ar[21]; ip++) {
  *ip = 0;
}

Wiki MarkupC+\+2003 guarantees that it is permissible to use the address of {{ar\[20\]}} even though no such element exists. However, in this noncompliant code example, the bound of the array is incorrectly specified, and consequently, the reference to {{&ar\[21\]}} constitutes undefined behavior. On the final iteration of the loop, the expression {{ip+\+}} (which adds 1 to {{ip}}) will also overflow.

This code also suffers from using "magic numbers," described in DCL06-CPP. Use meaningful symbolic constants to represent literal values in program logic. When replacing the numbers with constants, a developer is likely to catch the invalid array bounds in the for statement.

Compliant Solution (Arrays)

Wiki MarkupThis compliant solution fixes the problem from the previous noncompliant code example by using the common idiom {{sizeof(ar)/sizeof(ar\[0\])}} to determine the actual number of elements in the array. This idiom works only when the definition of the array is visible (see [ARR01-CPP. Do not apply the sizeof operator to a pointer when taking the size of an array]).

int ar[20];

for (int *ip = &ar[0]; ip < &ar[sizeof(ar)/sizeof(ar[0])]; ip++) {
  *ip = 0;
}

Wiki MarkupC+\+2003 guarantees that it is permissible to use the address of {{ar\[sizeof(ar)/sizeof(ar\[0\])\]}} even though no such element exists. This allows you to use it for checks in loops like the one in this Compliant Solution. The guarantee extends only to one element beyond the end of an array and no further [Banahan 03].

Noncompliant Code Example (Vectors)

...

char *buf;
size_t len = 1 << 30;

/* Check for overflow */
if (buf + len < buf) {
  len = -(size_t)buf-1;
}

Wiki MarkupThis code resembles the test for wraparound from the {{sprint()}} function as implemented for the Plan 9 operating system. If {{buf + len < buf}} evaluates to true, {{len}} is assigned the remaining space minus 1 byte. However, because the expression {{buf + len < buf}} constitutes undefined behavior, compilers can assume this condition will never occur and optimize out the entire conditional statement. In gcc versions 4.2 and later, for example, code that performs checks for wrapping that depend on undefined behavior (such as the code in this noncompliant code example) are optimized away; no object code to perform the check appears in the resulting executable program \[ [VU#162289|AA. Bibliography#VU#162289]\]. This is of special concern because it often results in the silent elimination of code that was inserted to provide a safety or security check. For gcc version 4.2.4 and later, this optimization may be disabled for with the {{-fno-strict-overflow}} option.

Compliant Solution (Linear Address Space)

...

This rule appears in the C Secure Coding Standard as VOID Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element.

References

...

\[[Banahan 03|AA. Bibliography#Banahan 03]\] [Section 5.3, "Pointers,"|http://publications.gbdirect.co.uk/c_book/chapter5/pointers.html] and [Section 5.7, "Expressions involving pointers"|http://publications.gbdirect.co.uk/c_book/chapter5/pointer_expressions.html] \[[ISO/IEC 14882-2003|AA. Bibliography#ISO/IEC
[ISO/IEC 14882-2003]\] Section 18.7 \
[[MITRE 07|AA. Bibliography#MITRE 07]\] [CWE ID 129|http://cwe.mitre.org/data/definitions/ 129.html], "Unchecked Array Indexing" \
[[VU#162289|AA. Bibliography#VU#162289]\]

...

ARR37-CPP. Do not add or subtract an integer to a pointer to a non-array object      06. Arrays and the STL (ARR)      ARR39-CPP. Do not treat arrays polymorphically