Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

An object that has volatile-qualified type may be modified in ways unknown to the implementation or have other unknown side effects. Asynchronous signal handling falls under these conditions, for example, may cause objects to be modified in a manner unknown to the compiler. Without this type qualifier, unintended optimizations may occur.

Wiki Markup
The {{volatile}} keyword eliminates this confusion by imposing restrictions on access and caching. According to the C99 Rationale \[[ISO/IEC 03|AA. C References#ISO/IEC 03]\]:

. These optimizations may cause race conditions because a programmer may write code that prevents a race condition, yet the compiler is not aware of the programmer's data model and may modify the code during compilation to permit race conditions.

The volatile keyword eliminates this confusion by imposing restrictions on access and caching. According to the C99 Rationale [C99 Rationale 2003],

No caching No cacheing through this lvalue: each operation in the abstract semantics must be performed (that is, no cacheing caching assumptions may be made, since because the location is not guaranteed to contain any previous value). In the absence of this qualifier, the contents of the designated location may be assumed to be unchanged except for possible aliasing.

Non-Compliant Coding Example

Type qualifying objects as volatile does not guarantee synchronization between multiple threads, protect against simultaneous memory accesses, or, unless used to declare objects of type sig_atomic_t, guarantee atomicity of accesses to the object. For restrictions specific to signal handlers, see SIG31-C. Do not access shared objects in signal handlers. However, type qualifying objects as volatile does ensure that a conforming compiler will not elide or reorder access to the object.

Noncompliant Code Example

In this noncompliant code example, the programmer is targeting a custom piece of hardware that controls an LED by writing values into a register bank. The register bank is memory mapped into the process such that writing to a specific memory location will actually place a value into a hardware register to be read by the LED controller. The programmer intends to turn the LED on by placing value 1 into the first register, and then turn the LED off later by placing the value 0 into the first registerIf the value of i is cached, the while loop may never terminate, even on the program receiving a SIGINT.

Code Block
bgColor#FFcccc#ffcccc
langc
#include <stddef.h>
#include <signal<stdint.h>

sizeextern void get_register_bank(int32_t i;

void handler() {
  i = 0;
}

int main**bank,
                              size_t *num_registers);
extern void external_wait(void);

void func(void) {
  signal(SIGINT, handler)int32_t bank[3];
   i = 1size_t num_regs = 3;

  get_register_bank((int32_t **)&bank, &num_regs);
  whileif (inum_regs < 3) {
    /* doHandle somethingerror */
   }
}

Compliant Solution



  bank[0] = 1;
  external_wait();
  bank[0] = 0;
}

The compiler is free to optimize what it perceives as being a dead store to bank[0] by removing the first assignment to the variable. This would cause the LED to never be turned on in an optimized build. 

Compliant Solution

In this compliant solution, the register bank's memory is qualified with the volatile keyword, ensuring the compiler does not optimize access to the memoryi is accessed for every iteration of the while loop.

Code Block
bgColor#ccccff
langc
#include <stddef.h>
#include <signal<stdint.h>

extern void get_register_bank(volatile int32_t **bank,
                              size_t i *num_registers);
extern void external_wait(void);

void handlerfunc(void) {
  ivolatile = 0int32_t bank[3];
}

int main(void) {
  signal(SIGINT, handler);
  i = 1 size_t num_regs = 3;

  get_register_bank((volatile int32_t **)&bank, &num_regs);
  whileif (inum_regs < 3) {
    /* doHandle somethingerror */
   }
}

  bank[0] = 1;
  external_wait();
  bank[0] = 0;
}

Risk Assessment

In addition to incorrect optimizations, this can cause race conditions, resulting in an inconsistent state.

Failure to declare variables containing data that cannot be cached as volatile can result in unexpected runtime behavior resulting from compiler optimizations.

Recommendation

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

DCL34

DCL22-C

2 (medium)

2 (probable)

2 (medium)

P6

L2

Low

Probable

No

Yes

P4

L3

Automated Detection

Tool

Version

Checker

Description

LDRA tool suite
 
Include Page
LDRA_V
LDRA_V
8 DPartially implemented
Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-DCL22-a

Avoid unused values
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. DCL22-C


Checks for write without a further read (rule partially covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

...

Related Guidelines

Bibliography

[C99 Rationale 2003] Subclause

...

6.7.3,

...

"Type Qualifiers"


...

Image Added Image Added Image Added qualifiers" \[[Sun 05|AA. C References#Sun 05]\] [Chapter 6, "Transitioning to ISO C"|http://docs.sun.com/source/819-3688/tguide.html#pgfId-997898]