C compiler undefined behavior accessing global T const * const obj whose underlying object may change?

Question

What kinds of C syntax does the C standard specify for Defined Behavior and Undefined Behavior when using const pointers to global data areas in order to communicate both to the C compiler and to a programmer that in some functions the global data areas may be modified and in the rest of the source the global data areas should be read only?

If one functionfunc2(), accesses a global memory area through a pointer T const * const pObj; there fore seen as read only yet the data area may be changed by another function, func(), which accesses the same global memory area through a pointer T * const pObj; and the function func() is invoked either directly by func2() or by a callee of func2() will any local copies of data from the global memory area, for instance temporary variables or values in registers, be refreshed after any function call? Is a function call a kind of reset point that triggers all cached, non-local data (whether marked as const or not) stored in registers or local temporary variables to be flushed and refreshed?

Working with older C source that has several memory resident data areas used to maintain state I would like for most of the source to see these areas as read only. However some functions will modify the data areas depending on various events.

What I thought to do was to have two types of pointers to these memory resident data areas both of which point to the same location but which are defined so that the memory area is treated as either read only (T const * const pObj;) or as read/writable (T * const pObj;).

What does the C standard have to say about this approach and how safe is it?

For instance in the following C source example across several files, I expect that func2() will work correctly since the state change happens with a call to func() before func2() is called.

The include file contains the following source lines defining some types as well as declaring the global variables which are defined elsewhere.

typedef struct { int state; /* other stuff */ } ET;  // Event type
typedef struct { ET state; /* other stuff */ } T;    // memory resident data type

extern T const * const pObjImmutable;  // readonly pointer to readonly memory
extern T * const pObjMutable;  // readonly pointer to read/writable memory
extern int  IsState (const ET state, const ET event);  // check for equivalence of state and event

Next there is a source file where the pointers declared in the include file are actually defined along with an API for manipulation and changes.

static T objThing;       // define the object but make static for file visibility only
T const * const pObjImmutable = &objThing;  // define global readonly pointer to readonly memory
T * const pObjMutable = &objThing;  // define global readonly pointer to read/writable memory

int  IsState (ET state, ET event)
{
   // check for equivalence of state and event ....
}  

Finally there is a source file where the global objects are actually being used.

void func (ET event)
{
    // make changes to objThing based on event
    pObjMutable->state = event;
}

void func2 (void)
{
    extern ET const stdStateOne, const stdStateTwo;

    // use current state of objThing to make decisions
    if (IsState (pObjImmutable->state, stdStateOne)) {
        //  do things for State One due to an event
    } else if (IsState (pObjImmutable->state, stdStateTwo)) {
        //  do things for State Two due to an event
    }
}

int main ()
{
    func (eventOne);    // initialize the state
    func2 ();           // do something based on current state
    func (eventTwo);    // change the state
    func2();            // do something based on current state using new state
}

However what does the C standard say if the function func2() calls a function which somewhere in the call tree a function is called which modifies the memory resident area? For example if the function func2() calls the function func() directly with a new event or if the function func2() calls a function which in turn calls func() with a new event?

Answer 1

This comment isn't quite right:

extern T const * const pObjImmutable;  // immutable pointer to immutable memory

The pointer could be pointing to mutable or immutable memory, we can't tell. All we can tell is that this pointer cannot be used to modify that memory. It's possible the target is mutable and may change between reads of this pointer; the only restriction is that the memory can not be written by this pointer.

a function is called which modifies the memory resident area?

I'm not sure exactly what you mean by this. If you had the following:

static const T constThing;

and then some code modified the bytes of storage of constThing, it causes undefined behaviour. But...

For example if the function func2() calls the function func() directly with a new event or if the function func2() calls a function which in turn calls func() with a new event?

If you are just talking about the non-const objThing then this is fine. pObjMutable is used to update objThing ; and for anyone looking at the object by any means (including via pObjImmutable), they will see the changes.

Accordingly, if you have some code like:

printf("%d\n", pObjImmutable->bar);
func();
printf("%d\n", pObjImmutable->bar);

the compiler cannot cache the result of pObjImmutable->bar for the second printf, because func() might have modified objThing.

Answer 2

Since the const qualifier indicates that the value of the variable will not change, the compiler is free to do what ever optimizations it wants to do including keeping values in registers or temporary values. If a variable or object marked as const does in fact change through some other action, this is considered Undefined Behavior.

So const T *p = &Thing; means that the address in the pointer p may change though the object or variable pointed to will not change (changing the variable results in undefined behavior). Using T * const p = &Thing; means that the pointer p will not change though the object or variable pointed to may change. Using T const * const p = &Thing; means that not only will the address in the pointer p not change but also the contents of the variable pointed to will not change either. (See What is the difference between const int*, const int * const, and int const *?

The result is that using extern T const * const p; in order to access a global variable that the pointer p is pointing to means that any functions called should not modify the contents of the object or variable whose address is in the pointer variable p. Doing so results in undefined behavior.

Using volatile qualifier with const

Additional investigation indicates that the appropriate definition of the global pointer which presents an object as a read only object which may actually change due to some other activity such as a hardware event or another thread or process would be the following.

T const volatile  * const pObjImmutable = &objThing;  // read only pointer to read only memory which may change somehow

In the include file declaring this global variable for other source files to access we would use:

extern T const volatile  * const pObjImmutable;

This use of the volatile type qualifier indicates that the object pointed to may change (see Why is volatile needed in C?) however the const qualifier indicates the object is not be modified through the pointer provided. This is from section 6.7.3 Type qualifiers, paragraph 10 on page 109 of WG14/N1124 Committee Draft — May 6, 2005 ISO/IEC 9899:TC2

The relevant sections, section 5 and section 6, from the document along with two notes, 113 and 114, are as follows.

5 If an attempt is made to modify an object defined with a const-qualified type through use of an lvalue with non-const-qualified type, the behavior is undefined. If an attempt is made to refer to an object defined with a volatile-qualified type through use of an lvalue with non-volatile-qualified type, the behavior is undefined. 113)

6 An object that has volatile-qualified type may be modified in ways unknown to the implementation or have other unknown side effects. Therefore any expression referring to such an object shall be evaluated strictly according to the rules of the abstract machine, as described in 5.1.2.3. Furthermore, at every sequence point the value last stored in the object shall agree with that prescribed by the abstract machine, except as modified by the unknown factors mentioned previously. 114) What constitutes an access to an object that has volatile-qualified type is implementation-defined.

113) This applies to those objects that behave as if they were defined with qualified types, even if they are never actually defined as objects in the program (such as an object at a memory-mapped input/output address).

114) A volatile declaration may be used to describe an object corresponding to a memory-mapped input/output port or an object accessed by an asynchronously interrupting function. Actions on objects so declared shall not be ‘‘optimized out’’ by an implementation or reordered except as permitted by the rules for evaluating expressions.

Also an answer from stackoverflow Difference between const & const volatile mentions this article, Combining C’s volatile and const Keywords which states:

Though the essence of the volatile (“ever-changing”) and const (“read-only”) decorators may seem at first glance opposed, there are some times when it makes sense to use them both to declare one variable. The scenarios I’ve run across have involved pointers to memory-mapped hardware registers and shared memory areas.

See also the article How to Use C's volatile Keyword in which has this to say about the proper use of the volatile qualifier.

A variable should be declared volatile whenever its value could change unexpectedly. In practice, only three types of variables could change:

1. Memory-mapped peripheral registers

2. Global variables modified by an interrupt service routine

3. Global variables accessed by multiple tasks within a multi-threaded application

Note of Warning re Multi-threaded Applications

One note of warning is that this construct does not provide synchronization so should be used cautiously in multi-threaded applications with multiple threads referencing and modifying the global data object referenced via the pointers.

Using the volatile key word provides only a notification to the compiler that the data object may change due to some external event. There is no synchronization of the data object between multiple threads. There is no prevention of a data object being in an inconsistent state due to a partial update before a thread is swapped out. The data object could be in an inconsistent state at the point a time slice completes or operating system API is called by a thread which is updating the data object and the update is incomplete before the thread is put on the wait list.

This would also seem to be a consideration for complex data objects using shared memory being updated by some piece of hardware.

Andre Alexandrescu wrote an article in Dr. Dobbs (2001 before C++11) about the use of the volatile qualifier in multi-thread applications, volatile: The Multithreaded Programmer's Best Friend which describes the use of volatile and its effect on compiler optimization along with locks and mutexes. Also see Volatile in C++11 whose answer describes compiler optimization and volatile for C++11.