Hauptinhalt

CERT C: Rule EXP36-C

Do not cast pointers into more strictly aligned pointer types

Description

Rule Definition

Do not cast pointers into more strictly aligned pointer types.1

Polyspace Implementation

This checker checks for Source buffer misaligned with destination buffer

Examples

expand all

Issue

The issue Source buffer misaligned with destination buffer occurs when the source pointer and the target pointer in a pointer-to-pointer conversion do not align. The misalignment occurs for reasons such as:

  • The source pointer points to a buffer that is smaller than what the target pointer points to.

  • The source pointer points to a buffer that is larger than what the target pointer points to, but the buffer size is not an exact multiple of the destination buffer size.

  • The source pointer is a void * pointer and the target pointer is not. Polyspace® does not report violations on casts and implicit conversion from NULL and (void*)0.

Polyspace does not report violations of this rule if:

  • You use an environment that allows conversion between misaligned pointers. For instance, in 32bit and 64bit x86 environment, converting char* into uint16_t* does not terminate a program abnormally.

  • You use a source pointer that aligns correctly to the target type. For instance:

    • You use the alignas specifier to match the alignment of the source pointer with that of the target pointer.

    • You use pointers returned by functions such as aligned_alloc(), malloc(), and realloc(). These pointers matches the alignment of the target pointer.

Risk

If the alignment of a pointer changes in a pointer-to-pointer conversion, dereferencing the converted pointer causes abnormal program termination.

Fix

Avoid changing the alignment of a pointer in a pointer-to-pointer conversion.

Example — Change in Pointer Alignment During Conversion
#include <string.h>
struct record {
  int len;
  /* ... */
};

int copyBuffer (char *data, int offset)
{
  struct record *tmp;
  struct record dest;
  tmp = (struct record *) (data + offset);   //Noncompliant
  memcpy (&dest, tmp, sizeof (dest));
  /* ... */

  return dest.len;
}

In this example, the function copyBuffer converts a char* pointer into a struct record* pointer, followed by a memcpy operation. The memcpy operation assumes a struct record* alignment of tmp, which leads to undefined behavior. The rule checker reports a violation of this rule.

To avoid the issue, use data + offset as the source argument of the memcpy operation instead of using an intermediate struct record* pointer.

Example — Conversion from void* to int*
int *lookup (void *loc)
{
  /* ... */
  return loc; //Noncompliant   
}

void search (char *pos)
{
  int *found = lookup (pos);
}

In this example, the lookup function has a void* parameter, but converts the parameter into an int* pointer when returning. In the function search(), calling the function lookup() with a char* pointer results in a conversion between a char* pointer and an int* pointer. Polyspace reports a violation of this rule.

Example — Use alignas Specifier to Avoid Alignment Mismatch

This example aligns the char pointer char_p as an int by using the alignas specifier. Because char_p is aligned as an int, converting it to an int* does not violate this rule.

#include <stdalign.h>
#include <assert.h>
  
void foo(void) {
  /* Align char_p to the alignment of an int */
  alignas(int) char char_p = 'a';
  int *int_p = (int *)&char_p; //Compliant
  char *char_new = (char *)int_p;
  /* Both char_new and &char_p point to equally aligned objects */
  
}

Check Information

Group: Rule 03. Expressions (EXP)

Version History

Introduced in R2019a

expand all


1 This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.