 
                            [[Dewhurst 02]] Gotcha #5, "Misunderstanding References" says:
Strangely, it's not illegal to apply a
constorvolatilequalifier to a type name that is of reference type. Rather than cause an error, the qualifier...can be ignored.
Noncompliant Code Example
char c = 'c'; char &const p = c; p = 'p'; cout << c << endl;
Implementation Details
On Microsoft Visual C++, this code compiles without incident and outputs:
p
G++ version 4.2.4 refuses to compile the code, complaining:
: error: 'const' qualifiers cannot be applied to 'char&'
Compliant Solution
If constant access is required, instead of using a const reference, one can use a const pointer:
char c = 'c'; char *const p = c; *p = 'p'; // causes compiler error cout << c << endl;
Risk Assessment
Const and volatile references may be freely ignored by the compiler, causing unexpected values to be stored and leading to possible data integrity violations.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| DCL33-CPP | low | unlikely | medium | P2 | L3 | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Dewhurst 02]] Gotcha #5, "Misunderstanding References"
DCL32-CPP. Do not use names reserved for the implementation 02. Declarations and Initialization (DCL) DCL34-CPP. Use volatile for data that cannot be cached