An object that has volatile-qualified type may be modified in ways unknown to the implementation or have other unknown side effects. Asynchronous signal handling falls under these conditions. Without this type qualifier, unintended optimizations may occur.
The volatile keyword eliminates this confusion by imposing restrictions on access and caching. According to the C99 Rationale [[ISO/IEC 03]]:
No cacheing through this lvalue: each operation in the abstract semantics must be performed (that is, no cacheing assumptions may be made, since the location is not guaranteed to contain any previous value). In the absence of this qualifier, the contents of the designated location may be assumed to be unchanged except for possible aliasing.
Non-Compliant Coding Example
If the value of i is cached, the while loop may never terminate, even on the program receiving a SIGINT.
#include <signal.h>
size_t i;
void handler() {
i = 0;
}
int main(void) {
signal(SIGINT, handler);
i = 1;
while (i) {
/* do something */
}
}
Compliant Solution
i is accessed for every iteration of the while loop.
#include <signal.h>
volatile size_t i;
void handler() {
i = 0;
}
int main(void) {
signal(SIGINT, handler);
i = 1;
while (i) {
/* do something */
}
}
Risk Assessment
In addition to incorrect optimizations, this can cause race conditions, resulting in an inconsistent state.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
DCL34-C |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999:TC2]] Section 6.7.3, "Type qualifiers"
[[ISO/IEC 03]] Section 6.7.3, "Type qualifiers"
[[Sun 05]] Chapter 6, "Transitioning to ISO C"