Oops, They Did It Again!

“There are no secrets that time does not reveal.”
— Jean Racine
In an act of unprecedented arrogance, Apple once again dictated to their users what they believe is good for them — this is yet another example of how they take away their users’ freedom.

Yesterday, they finally admitted what measurements by various users had suggested earlier: one year ago Apple introduced a feature that deliberately slows down the performance of older iPhone models in order to “deliver the best experience to their customers”.

This is, of course, total BS. It’s obvious that the real motive was to boost sales of their new products. Why? Because they kept it secret. Period.

If they really had the best of their customers in mind, they would have announced such a drastic step in good time. Further, they would have given their users a choice (something totally alien to them) by presenting a simple opt-in dialog:

Dear loyal customer, we’ve discovered that the capacity of your phone’s battery has become low. We strongly suggest that you either a) buy one of our latest models, b) replace your battery (which will cost you many $$$, because you can’t do it yourself), or reduce the CPU performance which will DELIVER THE BEST EXPERIENCE to you. What do you want us to deliver to you?

1. Our latest iPhone model
2. A replacement battery
3. The best experience

Some time ago, I wrote a post which details why I don’t buy iThings and this recent incident just adds to the list. However, I’m enough of a realist to doubt that it will reduce the total number of iThings under this year’s Christmas trees.

Pointers in C, Part III: The Strict Aliasing Rule

“Know the rules well, so you can break them effectively.”
— Dalai Lama XIV

One of the lesser-known secrets of the C programming language is the so-called “strict aliasing rule”. This is a shame, because failing to adhere to it takes you (along with your code) straight into the realm of undefined behavior. As no one in their right mind wants to go there, let’s shed some light on it!

POINTER ALIASING DEFINED

First of all, we have to clarify what “aliasing” really means, or rather aliasing of pointers. Take a look at this example:


int value;

int* p1 = &value;   // p1 points to 'value'.
int* p2 = &value;   // p2 as well...

int value;

int* p1 = &value; // p1 points to 'value'.

int* p2 = &value; // p2 as well...

Here, ‘p1’ and ‘p2’ are aliased to the same object ‘value’; that is, they point to the same object. If you update ‘value’ through ‘p1’:


*p1 = 42;

*p1 = 42;

a read through ‘p2’ will reflect this change:


assert((*p1 == *p2) && (value == *p2)); // So true...

assert((*p1 == *p2) && (value == *p2)); // So true...

Because of the possibility of aliasing, a C compiler is prevented from applying certain optimizations. Consider:


int silly(int* x, int* y) {
    *x = 0;
    *y = 1;
    return *x;
}

int silly(int* x, int* y) {

*x = 0;

*y = 1;

return *x;

}

You might think that any decent compiler would generate simplified code equivalent to this:


int silly(int* x, int* y) {
    *x = 0;
    *y = 1;
    return 0;   // *x was previously set to 0, so don't load from memory again.
}

int silly(int* x, int* y) {

*x = 0;

*y = 1;

return 0; // *x was previously set to 0, so don't load from memory again.

}

It’s not a matter of decency — the compiler just can’t do this optimization! Here’s the assembly output that clearly shows that the return value is loaded from memory:


$ gcc -O2 -masm=intel silly.c -S && cat silly.s

$ gcc -O2 -masm=intel silly.c -S && cat silly.s


silly:
        mov     DWORD PTR [rdi], 0
        mov     DWORD PTR [rsi], 1
        mov     eax, DWORD PTR [rdi] ; '*x' fetched from memory.
        ret

silly:

mov DWORD PTR [rdi], 0

mov DWORD PTR [rsi], 1

mov eax, DWORD PTR [rdi] ; '*x' fetched from memory.

ret

The optimization is not possible because the caller could call ‘silly’ like so:


int value;
silly(&value, &value);

int value;

silly(&value, &value);

In this case, ‘x’ and ‘y’ are aliased to the same ‘value’, which means ‘silly’ must return 1 not 0. Consequently, ‘*x’ must be read from memory, every time. Period.

ROOM FOR IMPROVEMENT

If you think about it, even though it may happen, pointer aliasing won’t happen very often in practice. Why waste so much potential for optimization for the uncommon case? Most likely, the folks from the C standards committee had the same line of thinking. They introduced rules that state when pointer aliasing must not happen. Enter the strict aliasing rule.

To facilitate compiler optimization, the strict aliasing rule demands that (in simple words) pointers to incompatible types never alias. Pointers to compatible types (like the two ‘int’ pointers ‘x’ and ‘y’ in ‘silly’) are assumed to (potentially) alias. Let’s make the pointer types incompatible (‘short*’ vs. ‘int*’):


int silly2(short* x, int* y) {
    *x = 0;
    *y = 1;
    return *x;
}

int silly2(short* x, int* y) {

*x = 0;

*y = 1;

return *x;

}


$ gcc -O2 -masm=intel silly2.c -S && cat silly2.s

$ gcc -O2 -masm=intel silly2.c -S && cat silly2.s


silly2:
        mov     WORD PTR [rdi], ax
        mov     DWORD PTR [rsi], 1
        xor     eax, eax            ; equivalent to mov eax, 0
        ret

silly2:

mov WORD PTR [rdi], ax

mov DWORD PTR [rsi], 1

xor eax, eax ; equivalent to mov eax, 0

ret

As you can see, this time no load from memory is performed — 0 is returned instead. The optimization is possible because the compiler assumes that aliasing is not allowed in this case.

VIOLATIONS

But what happens if pointers to incompatible types nevertheless alias? After all, this can happen quite easily. Maybe not in the ‘silly’ example, but in real-world production code:


struct measurements_t {
    uint8_t level;
    uint16_t temperature;
    uint32_t force;
};

void convert(const uint8_t* data, struct measurements_t* measurements) {
    /* Fill measurements object with raw data. */
    *measurements = *((struct measurements_t*) &data[0]);
}

struct measurements_t {

uint8_t level;

uint16_t temperature;

uint32_t force;

};

void convert(const uint8_t* data, struct measurements_t* measurements) {

/* Fill measurements object with raw data. */

*measurements = *((struct measurements_t*) &data[0]);

}

In an attempt to convert data stored in a buffer (maybe read over a network connection) into a high-level structure, a pointer to ‘struct measurements_t’ is aliased with a pointer to a ‘uint8_t’. Since both types are incompatible (pointer to struct vs. pointer to ‘uint8_t’) this code is a violation of the strict aliasing rule. Experienced C developers most likely recognized immediately that this code yields undefined behavior, but they would have probably attributed it to struct padding and alignment issues. The real reason, as we know by now, is a violation of the strict aliasing rule.

THE FINE PRINT

So what exactly is the strict aliasing rule and what does “type compatibility” mean? Here’s an excerpt from the ISO C99, standard, chapter 6.5:

An object shall have its stored value accessed only by an lvalue expression that has one of the following types:

a type compatible with the effective type of the object,

a qualified version of a type compatible with the effective type of the object,

a type that is the signed or unsigned type corresponding to the effective type of the object,

a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,

an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or

a character type.

Such Standardeese is often hard to digest, so let me try to clarify it a bit. Aliased pointer access is fine if:

1. The pointed-at types are identical. Note that typedefs are just type aliases and don’t introduce new types:


typedef int INT;
INT* p = ...
int x = *((int*) p);    // Fine and cast not really necessary!

typedef int INT;

INT* p = ...

int x = *((int*) p); // Fine and cast not really necessary!

2. The pointed-at types are identical apart from the “signed-ness” (e. g. ‘int’ vs. ‘unsigned int’).
3. The pointed-at types are identical apart from qualification (e. g. ‘const int’ vs. ‘int’).
4. The rule “an aggregate or union type that includes one of the aforementioned types among its members” is highly confusing and probably doesn’t mean much. Check this out for details.
5. The pointed-at types are different, but the pointed-at type through which the access is made is a pointer to character:


float f = 3.1415;
unsigned char* p = (unsigned char*) &f;
unsigned char a1 = p[0];   // First byte of 'f'.
unsigned char a2 = p[1];   // :
unsigned char a3 = p[2];   // :
unsigned char a4 = p[3];   // Last byte of 'f'.

float f = 3.1415;

unsigned char* p = (unsigned char*) &f;

unsigned char a1 = p[0]; // First byte of 'f'.

unsigned char a2 = p[1]; // :

unsigned char a3 = p[2]; // :

unsigned char a4 = p[3]; // Last byte of 'f'.

Conversely, aliased pointer access is not defined if the pointed-at types are fundamentally different. Note that this includes pointers to structs that are identically defined but have different tag names:


struct S1 { int x; }; // tag 'S1'.
struct S2 { int x; }; // tag 'S2'.

S1* s1;
S2 = *((S2*) s1);     // Undefined behavior!

struct S1 { int x; }; // tag 'S1'.

struct S2 { int x; }; // tag 'S2'.

S1* s1;

S2 = *((S2*) s1); // Undefined behavior!

CONCLUSION

The strict aliasing rule was introduced to give the compiler vendors some leeway regarding optimizations. By default, the compiler assumes that pointers to (loosely speaking) incompatible types never alias. As a consequence, you, the programmer, have to make sure that this rule is obeyed.

Here’s some disquieting news: a lot of existing code isn’t conforming to the strict aliasing rule, but the code works (or appears to work) fine anyway. As an example, the ‘convert’ function above, which aliases a struct to an array of bytes might work fine on an Intel x86-based platform, which supports unaligned memory access. However, if you use ‘convert’ on an (older) ARM-based platform, you might get a “bus error” exception that could crash your system. In other cases, nonconforming code just works by coincident, with a particular compiler, or a particular compiler version at a particular optimization level.

To me, knowing about the strict aliasing rule is as important for every systems developer as knowing about the other systems programming “secrets” like alignment, struct padding, and endianness.

A GCC Compiler Mistake

“Most of the evil in this world is done by people with good intentions.”
— T.S. Eliot

Errors, defects, bugs, blunders — when we talk about software-related errors, we often use terms loosely and synonymously — but there are differences. For instance, in his book “The Design of Everyday Things“, Donald A. Norman makes a clear distinction between “mistakes” and “slips”:

“Errors come in several forms. Two fundamental categories are slips and mistakes. Slips result from automatic behavior, when subconscious actions that are intended to satisfy our goals get waylaid en route. Mistakes result from conscious deliberations.”

In short: mistakes are the result of faulty ideas whereas slips are errors made when implementing an idea. Usually, slips are not just easy to make, but also easy to fix. Fixing mistakes is typically much harder.

One of the easiest slips to make in C/C++ is to inadvertently do a boolean test on an assignment expression:


if (a = b) {    // Oops! Should have been a == b.
    ...
}

if (a = b) { // Oops! Should have been a == b.

...

}

which is equivalent to:


if ((a = b) != 0) {
    ...
}

if ((a = b) != 0) {

...

}

While in some rare cases this is exactly what the developer had in mind, in 99% of all cases it’s not. Hence, boolean-testing assignments is explicitly banned by many C/C++ coding standards and frowned-upon by most developers.

But what’s all the fuzz about, you might ask. If an unlucky developer forgets to type the second ‘=’, any decent 21st century compiler surely generates a warning, doesn’t it? Well, the answer is, as we shall see, both, yes and no.

If you compile the example above with GCC (I’ve tried version 5.4.0) using options ‘-W -Wall’, you do get a warning:

warning: suggest parentheses around assignment used as truth value

GCC’s reasoning is this: if developers really wanted to truth test the assignment (there are still people out there who do, as strange as this may sound), they need to put an extra pair of parentheses around the assignment, to show their intend:


if ((a = b)) {    // Warning is gone.
    ...
}

if ((a = b)) { // Warning is gone.

...

}

Requiring an extra set of parentheses seems to be a neat idea, but it’s the devil in disguise. For one thing, it reminds me of Sledge Hammer saying “Trust me, I know what I’m doing” (which was usually entailed by disaster), for another, it doesn’t work reliably. In order to explain, I first need to put the same slip in a slightly more complicated expression:


if (a == b && c = d) {  // Should be c == d.
    ...
}

if (a == b && c = d) { // Should be c == d.

...

}

In this case, you not just get a warning, your compiler will refuse to compile this code. Why? According to C’s precedence rules, the assignment operator has lower priority than the ‘&&’ operator, which means that the code is equivalent to


if (((a == b) && c) = d) {  // Should be c == d.
    ...
}

if (((a == b) && c) = d) { // Should be c == d.

...

}

The C language standard says that the result of an ‘&&’ expression is a so-called “rvalue” and an rvalue is more or less read-only. Thus, assigning ‘d’ to it is just not possible and GCC is right when it barks:

error: lvalue required as left operand of assignment

A slip that doesn’t compile is a kind slip, you might think, but read on. We only got lucky by accident, so to speak.

Many coding standards, like MISRA, for instance, require that you put parentheses around subexpressions to clearly show what precedence you have in mind, instead of relying on obscure operator precedence rules. Hence, instead of


if (a == b && c == d)   // violates MISRA-C 2012, Rule 12.1: 
                        // "The precedence of operators within
                        //  expressions should be made explicit"

if (a == b && c == d) // violates MISRA-C 2012, Rule 12.1:

// "The precedence of operators within

// expressions should be made explicit"

you have to write


if ((a == b) && (c == d))   // MISRA compliant

if ((a == b) && (c == d)) // MISRA compliant

MISRA exists to make coding errors unlikely, but if a MISRA-abiding developer forgets the second ‘=’, he’s out of luck, at least if he’s using GCC:


if ((a == b) && (c = d))   // MISRA compliant, but a slip anyway...

if ((a == b) && (c = d)) // MISRA compliant, but a slip anyway...

Now the devil reveals himself: since the parentheses are properly placed, there is no attempt to assign to an rvalue, so there won’t be a compile-time error and because of GCC’s “parentheses feature” mentioned above, GCC doesn’t issue a warning, either.

Early in my career as a software developer, I read the aforementioned book “The Design of Everyday Things” and I believe it left a mark on me. One of the book’s unforgettable key lesson is this:

“When you have trouble with things — whether it’s figuring out whether to push or pull a door or the arbitrary vagaries of the modern computer and electronics industry — it’s not your fault. Don’t blame yourself: blame the designer.”

GCC’s “extra parentheses” feature is far from neat design — it’s rather bad design that doesn’t work in all contexts and gives developers a false sense of security. It was deliberately put in and correctly implemented but the idea was wrong from the outset. Thus, it’s not a slip, but obviously a mistake.

Dangerously Confusing Interfaces IV: The Perils of C’s “safe” String Functions

“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.”
–Mark Twain
Buffer overflows are among the most frequent causes of security flaws in software. They typically arise in situations such as when a programmer is 100% certain that the buffer to hold a user’s name is big enough — until a guy from India logs in. Thus, well-behaved developers always use the bounded-length versions of string functions. Alas, they come with differing, dangerously confusing interfaces.

THE GOOD

Let’s start with ‘fgets‘:


char buffer[30]; /* 30 bytes ought to be enough for everyone! */
fgets(buffer, sizeof(buffer), stdin);

char buffer[30]; /* 30 bytes ought to be enough for everyone! */

fgets(buffer, sizeof(buffer), stdin);

No matter what users type into their terminals, ‘fgets’ will ensure that ‘user_name’ is a well-formed, zero-terminated string of at most 29 characters (one character is needed for the ‘\0’ terminator). The same goes for the ‘snprintf‘ function. After executing the following code


char buffer[4];
snprintf(buffer, sizeof(buffer), "The quick brown fox");

char buffer[4];

snprintf(buffer, sizeof(buffer), "The quick brown fox");

‘buffer’ will contain the string “The”, again, properly zero-terminated.

Both functions follow the same, easy-to-grasp pattern: you pass a pointer to a target buffer as well as the buffer’s total size and get back a terminated string that doesn’t overflow the buffer. Awesome!

THE BAD

In order to copy strings safely, developers often reach for ‘strncpy‘ to guard themselves against dreaded buffer overruns:


char buffer[30]; /* 30 bytes ought to be enough for everyone! */
strncpy(buffer, user_name, sizeof(buffer)); /* safer than good ol' strcpy? */

char buffer[30]; /* 30 bytes ought to be enough for everyone! */

strncpy(buffer, user_name, sizeof(buffer)); /* safer than good ol' strcpy? */

Unfortunately, this is not how ‘strncpy’ works! We assumed that it followed the pattern established by ‘fgets’ and ‘snprintf’ but that’s not the case. Even if ‘strncpy’ promises that it never overflows the target buffer, it doesn’t necessarily zero-terminate it. What it does is copy up to ‘sizeof(buffer)’ bytes from ‘user_name’ to ‘buffer’ but if the last byte that is copied is not ‘\0’ (i. e. ‘user_name’ comprises more than ‘sizeof(buffer)’ characters), ‘strncpy’ leaves you with an untermiated string! A traditional approach to solve this shortcoming is to enforce zero-termination by putting a ‘\0’ character as the last element of the target buffer after the call to ‘strncpy’:


strncpy(buffer, user_name, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';

strncpy(buffer, user_name, sizeof(buffer));

buffer[sizeof(buffer) - 1] = '\0';

Using ‘strncpy’ without such explicit string termination is almost always an error — a rather insidious one, as your code will work most of the time but not when the buffer is completely filled (i. e. your Indian colleague “Villupuram Chinnaih Pillai Ganesan” logs on).

Boy, oh boy is this inconsistent! ‘fgets’ and ‘snprintf’ give you guaranteed zero-termination but ‘strncpy’ doesn’t. A clear violation of the principle of least surprise. Apparently, ‘strncpy’ fixes one safety problem and at the same time lays the foundation for another one.

THE UGLY

Can it get worse? You bet! How do you think ‘strncat‘, the bounded-length string concatenation function, behaves? Ponder this code:


const char* string1 = "123";
const char* string2 = "4567890";

char buffer[7];

/* First, safely fill buffer with string1. */
strncpy(buffer, string1, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';

/* Next, concatenate strings. */
strncat(buffer, string2, sizeof(buffer));

const char* string1 = "123";

const char* string2 = "4567890";

char buffer[7];

/* First, safely fill buffer with string1. */

strncpy(buffer, string1, sizeof(buffer));

buffer[sizeof(buffer) - 1] = '\0';

/* Next, concatenate strings. */

strncat(buffer, string2, sizeof(buffer));

But this is wrong, of course: the third argument to ‘strncat’ (let’s call this argument ‘n’) is not the size of the target buffer. It is the maximum number of characters to copy from the source string (‘string2’) to the destination buffer (‘buffer’). If the length of the source string is greater or equal to ‘n’, ‘strncat’ copies ‘n’ characters plus a ‘\0’ to terminate the target string. Confused? Don’t worry, here’s how you would use it to avoid concatenation buffer overruns:


strncat(buffer, string2, sizeof(buffer) - strlen(buffer) - 1); 
    // -1 to account for '\0'.

strncat(buffer, string2, sizeof(buffer) - strlen(buffer) - 1);

// -1 to account for '\0'.

Yuck! What’s the likelihood that people remember this correctly?

THE REMEDY

Even if the different interfaces and behaviors of the bounded-length string functions in the C API make sense for certain use cases (or made sense at some point in time), the upshot is that they confuse programmers and potentially lead to new security holes when in fact they were supposed to plug them. What’s a poor C coder supposed to do?

As always, you can roll your own versions of bounded/safe string functions or use my safe version of ‘strcpy’. If you rather prefer something from the standard library, I’d suggest that you use ‘snprintf’ as a replacement for both, ‘strncpy’ and ‘strncat’:


/* Safe replacement for 'strncpy' */
snprintf(buffer, sizeof(buffer), "%s", string1);

/* Safe replacement for 'strncat' */
snprintf(buffer, sizeof(buffer), "%s%s", string1, string2);

/* Safe replacement for 'strncpy' */

snprintf(buffer, sizeof(buffer), "%s", string1);

/* Safe replacement for 'strncat' */

snprintf(buffer, sizeof(buffer), "%s%s", string1, string2);

Looks like ‘snprintf’ is the swiss army knife of safe string processing, doesn’t it? The moral is this: use whatever you’re comfortable with, but refrain from using ‘strncpy’ or ‘strncat’ directly.

More dangerously confusing interfaces…

Playgrounds Revamped

“Play is the highest form of research.”
— Albert Einstein

Many years ago, I wrote about the importance of having playgrounds, that is, easy-to-access try-out areas for carrying out programming-related experiments with the overall goal of exploring and learning.

Recently, I’ve reworked my C++ playground and uploaded it to GitHub. Compared to my previous C++ playground, the new one comes with the following major advantages:

Shared access to playgrounds from multiple computers — since it is based on a Git repository.
Every experiment has its own subdirectory — the top-level playground directory stays clean and clearly arranged.
Unit test support through Google Test — running ‘make’ not just builds the experiment but also executes contained unit tests.

Once cloned and installed, you can start a new experiment is this:


cd ~/pg-cpp
. pg-setup init_within_loop_body

cd ~/pg-cpp

. pg-setup init_within_loop_body

‘pg-setup’ will create a directory called ‘init_within_loop_body’ along with a ‘Makefile’ and a ‘init_within_loop_body.cpp’ source file. Plus, if you have defined your ‘EDITOR’ environment variable properly, it will open ‘init_within_loop_body.cpp’ in your favorite editor for you. All that’s left to do is add your experiment’s code to the testcase template:


// This experiment tests if a variable inside a loop body
// is initialized with every iteration.
TEST(init_within_loop_body, simple) {
    for (int i = 0; i < 10; ++i) {
        int k = 0;
        // Assume that k is initialized every time.
        EXPECT_EQ(0, k);
        ++k;
    }
}

// This experiment tests if a variable inside a loop body

// is initialized with every iteration.

TEST(init_within_loop_body, simple) {

for (int i = 0; i < 10; ++i) {

int k = 0;

// Assume that k is initialized every time.

EXPECT_EQ(0, k);

++k;

}

Now, just type/execute ‘make’ (either from within your editor or from the command-line) and your code will be compiled and run:


g++  -W -Wall -g -pthread -I /home/ralf/get-me-gtest/googletest-release-1.8.0/googletest/include -I /home/ralf/get-me-gtest/googletest-release-1.8.0/googlemock/include -L /home/ralf/get-me-gtest/googletest-release-1.8.0/googlemock  init_within_loop_body.cpp  -l gmock_main -o init_within_loop_body
./init_within_loop_body
Running main() from gmock_main.cc
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from init_within_loop_body
[ RUN      ] init_within_loop_body.simple
[       OK ] init_within_loop_body.simple (0 ms)
[----------] 1 test from init_within_loop_body (0 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (0 ms total)
[  PASSED  ] 1 test.

g++ -W -Wall -g -pthread -I /home/ralf/get-me-gtest/googletest-release-1.8.0/googletest/include -I /home/ralf/get-me-gtest/googletest-release-1.8.0/googlemock/include -L /home/ralf/get-me-gtest/googletest-release-1.8.0/googlemock init_within_loop_body.cpp -l gmock_main -o init_within_loop_body

./init_within_loop_body

Running main() from gmock_main.cc

[==========] Running 1 test from 1 test case.

[----------] Global test environment set-up.

[----------] 1 test from init_within_loop_body

[ RUN ] init_within_loop_body.simple

[ OK ] init_within_loop_body.simple (0 ms)

[----------] 1 test from init_within_loop_body (0 ms total)

[----------] Global test environment tear-down

[==========] 1 test from 1 test case ran. (0 ms total)

[ PASSED ] 1 test.

Pointers in C, Part II: CV-Qualifiers

“A teacher is never a giver of truth; he is a guide, a pointer to the truth that each student must find for himself.”
— Bruce Lee

In part I of this series, I explained what pointers are in general, how they are similar to arrays, and — more importantly — where, when, and why they are different to arrays. Today, I’ll shed some light on the so-called ‘cv qualifiers’ which are frequently encountered in pointer contexts.

CV-QUALIFIER BASICS

CV-qualifiers allow you to supplement a type declaration with the keywords ‘const’ or ‘volatile’ in order to give a type (or rather an object of a certain type) special treatment. Take ‘const’, for instance:


const double PI = 3.1415927;
PI = 1.23;  // Error, PI is constant.
PI += 1;    // dito.

const double PI = 3.1415927;

PI = 1.23; // Error, PI is constant.

PI += 1; // dito.

‘const’ is a guarantee that a value isn’t (inadvertently) changed by a developer. On top of that, it gives the compiler some leeway to perform certain optimizations, like placing ‘const’ objects in ROM/non-volatile memory instead of (expensive) RAM, or even not storing the object at all and instead ‘inline’ the literal value whenever it’s needed.

‘volatile’, on the other hand, prevents optimizations. It’s a hint to the compiler that the value of an object can change in ways not known by the compiler and thus the value must never be cached in a processor register (or inlined) but instead always loaded from memory. Apart from this ‘don’t optimize’ behavior, there’s little that ‘volatile’ guarantees. In particular — and contrary to common belief — it’s no cure for typical race condition problems — It’s mostly used in signal handlers and to access memory-mapped hardware devices.

Even if it sounds silly at first, it’s possible to combine ‘const’ and ‘volatile’. The following code declares a constant that shall not be inlined/optimized:


const volatile int MAX_SENSORS = 4;
...
for (int i = 0; i < MAX_SENSORS; ++i) {  // Always load MAX_SENSORS
                                         // value from memory.
    sum += sensors[i].value;
}

const volatile int MAX_SENSORS = 4;

...

for (int i = 0; i < MAX_SENSORS; ++i) { // Always load MAX_SENSORS

// value from memory.

sum += sensors[i].value;

}

Using both ‘const’ and ‘volatile’ together makes sense when you want to ensure that developers can’t change the value of a constant and at the same time retain the possibility to update the value through some other means, later. In such a setting, you would place ‘MAX_SENSORS’ in a dedicated non-volatile memory section (ie. flash or EEPROM) that is independent of the code, eg. a section that only hosts configuration values^*. By combining ‘const’ and ‘volatile’ you ensure that the latest configuration values are used and that these configuration values cannot be altered by the programmer (ie. from within the software).

To sum it up, ‘const’ means “not modifiable by the programmer” whereas ‘volatile’ denotes “modifiable in unforeseeable ways”.

CV-QUALIFIERS COMBINED WITH POINTERS

Like I stated in the intro, cv-qualifiers often appear in pointer declarations. However, this poses a problem because we have to differentiate between cv-qualifying the pointer and cv-qualifying the pointed-to object. There are “pointers to ‘const'” and “‘const’ pointers”, two terms that are often confused. Here’s code involving a pointer to a constant value:


const int MAX_RATE = 200;
const int MIN_RATE = 10;
int default_rate = 42;

const int* rate;
rate = &MAX_RATE;    // Point to memory containing MAX_RATE.
rate = &MIN_RATE;    // Now point to memory containing MIN_RATE.

*rate = 1000;        // Error: pointer-to-const cannot modify
                     // pointed-to object.

rate = &default_rate // Point to non-const value.
*rate = 1000;        // Error: pointer-to-const cannot modify
                     // pointed-to object.

const int MAX_RATE = 200;

const int MIN_RATE = 10;

int default_rate = 42;

const int* rate;

rate = &MAX_RATE; // Point to memory containing MAX_RATE.

rate = &MIN_RATE; // Now point to memory containing MIN_RATE.

*rate = 1000; // Error: pointer-to-const cannot modify

// pointed-to object.

rate = &default_rate // Point to non-const value.

*rate = 1000; // Error: pointer-to-const cannot modify

// pointed-to object.

Since the pointer is declared as pointing to ‘const’, no changes through this pointer are possible, even if it points to a mutable object in reality.

Constant pointers, on the other hand, behave differently. Have a look at this example:


int default_rate = 42;  // Non-const value.
int current_rate = 19;  // dito.

int* const p;                   // Error: const pointers must be 
                                // initialized.
int* const p = &current_rate;   // Fine, point to a non-const value.
*p = 50;                        // Indirectly update current rate.
p = &default_rate               // Error: const pointers can't be 
                                // bound to another object.
++p;                            // dito.

int default_rate = 42; // Non-const value.

int current_rate = 19; // dito.

int* const p; // Error: const pointers must be

// initialized.

int* const p = &current_rate; // Fine, point to a non-const value.

*p = 50; // Indirectly update current rate.

p = &default_rate // Error: const pointers can't be

// bound to another object.

++p; // dito.

The takeaway is this: if the ‘const’ keyword appears to the left of the ‘*’, the pointed-to value is ‘const’ and hence we are dealing with a pointer to ‘const’; if the ‘const’ keyword is to the right of the ‘*’, the pointer itself is ‘const’. Of course, it’s possible to have the ‘const’ qualifier on both sides at the same time:


const int * const rate = &MAX_RATE;
*rate = 42;                     // Error: pointer to const can't 
                                // modify value.
++rate;                         // Error: const pointer can't 
                                // point elsewhere.

const int * const rate = &MAX_RATE;

*rate = 42; // Error: pointer to const can't

// modify value.

++rate; // Error: const pointer can't

// point elsewhere.

The same goes for multi-level pointers:


const int * const * v;

const int * const * v;

Here, ‘v’ is a regular (non-‘const’) pointer to ‘const’ pointer to a pointer to a ‘const’ integer.

Yuck! Sometimes, I really wish the inventors of C had used ‘<-‘ instead of ‘*’ for pointer declarations — the resulting code would have been easier on the eyes! Consider:


int* p;

int* p;

versus


int <- p;    // say: "p is a POINTER TO int"

int <- p; // say: "p is a POINTER TO int"


const int <- const <- v;

const int <- const <- v;

would read from right to left as “v is a POINTER TO const POINTER TO const int”. Life would be some much simpler… but let’s face reality and stop day-dreaming!

Everything I said about ‘const’ equally applies to pointers to ‘volatile’ and ‘volatile’ pointers: pointers to ‘volatile’ ensure that the pointed-to value is always loaded from memory whenever a pointer is dereferenced; with ‘volatile’ pointers, the pointer itself is always loaded from memory (and never kept in registers).

Things really get complicated when there is a free mix of ‘volatile’ and ‘const’ keywords with pointers involving more than two levels of indirection:


volatile int * const volatile * volatile * p;

volatile int * const volatile * volatile * p;

Let’s better not go there! If you are in multi-level pointer trouble, remember that there’s a little tool called ‘cdecl‘ which I showcased in the previous episode. But now let’s move on to the topic of how and when cv-qualified pointers can be assigned to each other.

ASSIGNMENT COMPATIBILITY I

Pointers are assignable if the pointer on the left hand side of the ‘=’ sign is not more capable than the pointer on the right hand side. In other words: you can assign a less constrained pointer to a more constrained pointer, but not vice versa. If you could, the promise made by the constrained pointer would be broken:


const int* pc;
int* p;

pc = p;     // OK, since 'p' is a read/write pointer and
            // 'pc' is a read-only pointer.
p = pc;     // Error: 'pc' is more constrained than 'p'.

const int* pc;

int* p;

pc = p; // OK, since 'p' is a read/write pointer and

// 'pc' is a read-only pointer.

p = pc; // Error: 'pc' is more constrained than 'p'.

If the previous statement was legal, a programmer could suddenly get write access to a read-only variable:


const int VALUE = 42;
const int* pc = &VALUE;     // Equal restrictiveness on both 
                            // sides (ie. const).
*pc = 43;                   // Error: no write access.
int* p = pc;                // Let's pretend this was legal...
*p = 43;                    // const value updated!

const int VALUE = 42;

const int* pc = &VALUE; // Equal restrictiveness on both

// sides (ie. const).

*pc = 43; // Error: no write access.

int* p = pc; // Let's pretend this was legal...

*p = 43; // const value updated!

Again, the same restrictions hold for pointers to ‘volatile’. In general, pointers to cv-qualified objects are more constrained than their non-qualified counterparts and hence may not appear on the right hand side of an assignment expression. By the same token, this is not legal:


const volatile int* pcv;
const* pc;
pc = pcv;               // Error: right hand side is more constrained...
pcv = pc                // OK.

const volatile int* pcv;

const* pc;

pc = pcv; // Error: right hand side is more constrained...

pcv = pc // OK.

ASSIGNMENT COMPATIBILITY II

The rule which requires that the right hand side must not be more constrained than the left hand side might lead you to the conclusion that the following code is perfectly kosher:


int value = 100;
int* p = &value;
int** pp = &p;

const int** ppc = pp;   // Error: incompatible assignment.

int value = 100;

int* p = &value;

int** pp = &p;

const int** ppc = pp; // Error: incompatible assignment.

However, it’s not, and for good reason, as I will explain shortly. But it’s far from obvious and it’s a conundrum to most — even seasoned — C developers. Why is it possible to assign a pointer to non-const to a pointer to ‘const’:


const int *pc;
int* p;
pc = p;             // OK.

const int *pc;

int* p;

pc = p; // OK.

but not a pointer to a pointer to non-const to a pointer to a pointer to ‘const’?


const int** ppc;
int** pp;
ppc = pp;           // Error.

const int** ppc;

int** pp;

ppc = pp; // Error.

Here is why. Imagine this example:


const int VALUE = 42;
int* p;
const int** ppc;
ppc = &p;           // Error, but let's pretend this was legal.

const int VALUE = 42;

int* p;

const int** ppc;

ppc = &p; // Error, but let's pretend this was legal.

Graphically, our situation is this. ‘ppc’ points to ‘p’ which in turn points to some random memory location, as it hasn’t been initialized yet:


VALUE       0x00B00010: 00 00 00 2A     // 42
:           :
p           0x00004220: ?? ?? ?? ??     // Points to random location
ppc         0x00004224: 00 00 42 20     // Points to 'p'

VALUE 0x00B00010: 00 00 00 2A // 42

: :

p 0x00004220: ?? ?? ?? ?? // Points to random location

ppc 0x00004224: 00 00 42 20 // Points to 'p'

Now, when we dereference ‘ppc’ one time, we get to our pointer ‘p’. Let’s point it to ‘VALUE’:


*ppc = &VALUE;

*ppc = &VALUE;

It shouldn’t surprise you that this assignment is valid: the right hand side (pointer to const int) is not less constrained than the left hand side (also pointer to const int). The resulting picture is this:


VALUE       0x00B00010: 00 00 00 2A     // 42
:           :
p           0x00004220: 00 B0 00 10     // Now points to 'VALUE'
ppc         0x00004224: 00 00 42 20     // Points to 'p'

VALUE 0x00B00010: 00 00 00 2A // 42

: :

p 0x00004220: 00 B0 00 10 // Now points to 'VALUE'

ppc 0x00004224: 00 00 42 20 // Points to 'p'

Everything looks safe. If we attempt to update ‘VALUE’, we won’t succeed:


**ppc = 666; // Error: can't update through pointer to 'const'.

**ppc = 666; // Error: can't update through pointer to 'const'.

But we are far from safe. Remember that we also (indirectly) updated ‘p’ which was declared as pointing to a non-const int and ‘p’ was declared as pointing to non-const? The compiler would happily accept the following assignment:


*p = 666;

*p = 666;

which leads to undefined behavior, as the C language standard calls it.

This example should have convinced you that it’s a good thing that the compiler rejects the assignment from ‘int**’ to ‘const int**’: it would open-up a backdoor for granting write access to more constrained objects. Finding the corresponding words in the C language standard is not so easy, however and requires some digging. If you feel “qualified” enough (sorry for the pun), look at chapter “6.5.16.1 Simple assignment”, which states the rules of objects assignability. You probably also need to have a look at “6.7.5.1 Pointer declarators” which details pointer type compatibility as well as “6.7.3 Type qualifiers” which specifies compatibility of qualified types. Putting this all into a cohesive picture is left as an exercise to the diligent reader.

________________________________
^{*) Separating code from configuration values is generally a good idea in embedded context as it allows you to replace either of them independently.↩}

Approxion

Code – People – Everything

Oops, They Did It Again!

Pointers in C, Part III: The Strict Aliasing Rule

A GCC Compiler Mistake

Dangerously Confusing Interfaces IV: The Perils of C’s “safe” String Functions

Playgrounds Revamped

Pointers in C, Part II: CV-Qualifiers