How do you return a pointer to non modifiable data in c

Question

I wish to return a pointer to data from a function. The caller should not modify that data. I want the compiler to flag an error if the caller is assigning the return value to a non const pointer.

I know that it is possible to cast away const, but I want the caller to be forced to do that cast instead of just an implicit cast or warning. (or no warning!, as on the compiler I am using). I believe the answer to my question is that it is not possible. I think that there is no way to prevent caller code like this from compiling, and that if the user deferences the data (buf in my example) it will be undefined behaviour.

Please note I am asking if it is possible to do this in the c language itself, and if not, an explanation of why the standard prevents this. I am not looking for a way to make this specific example flag an error using some specific compiler command line.

#include "stdio.h"

const int* get_buf_2()
{
    static int arr[10] = {1};
    return arr;
}

void get_buf(const int ** buf)
{
    static int arr[10] = {1};
    *buf = arr;
}

int main(int argc, char const *argv[])
{
    int *buf;
    get_buf(&buf);
    printf("%d %d\n", buf[0], buf[1]);
    buf = get_buf_2();
    printf("%d %d\n", buf[0], buf[1]);
    const int cbuf[10];
    buf = cbuf;
    return 0;
}

This code produces 3 warnings with clang and gcc, each time the pointer buf is assigned from a pointer to const. The two different warnings:

warning: passing 'int **' to parameter of type 'const int **' discards
      qualifiers in nested pointer types [-Wincompatible-pointer-types-discards-qualifiers]
warning: assigning to 'int *' from 'const int *' discards qualifiers
  [-Wincompatible-pointer-types-discards-qualifiers]

Possibly related:

Why can't I convert 'char**' to a 'const char* const*' in C?

Return Pointer To Non-Modifiable Member Array C++ gcc warning

Answer 1

I'm not entirely clear on what you are looking for, but nothing prevents you from returning the address to a read-only location. Take for example the short snippet where the function number returns a const int* pointer to the address of a value within data:

#include <stdio.h>

const int data[] = { 1, 2, 3, 4 };
const int notfound = -1;

const int *number (unsigned n)
{
    if (n < sizeof data / sizeof *data)
        return &data[n];

    return &notfound;
}

int main (int argc, char **argv) {

    int v = argc > 1 ? *argv[1] - '0' : 2;
    const int *n = number (v);

#ifdef TESTERR
    (*n)++;  /* <== error: increment of read-only location ‘*n’ */
#endif

    printf ("v : %d\n", *n);

    return 0;
}

Example Without Attempt to Modify

If there is no further attempt to modify the returned pointer, the compiler has no problems at all:

$ gcc -Wall -Wextra -pedantic -std=gnu11 -o bin/fn_const_ptr fn_const_ptr.c
(no error, no warning)

Example Attempting to Modify Return

However, if you do attempt to modify the value at the location returned by number, the compiler will generate an error without any specific option supplied

$ gcc -Wall -Wextra -pedantic -std=gnu11 -o bin/fn_const_ptr fn_const_ptr.c -DTESTERR
fn_const_ptr.c: In function ‘main’:
fn_const_ptr.c:20:5: error: increment of read-only location ‘*n’
     (*n)++;  /* <== error: increment of read-only location ‘*n’ */
     ^

Of course the const can always be cast away, but that would take an affirmative act, which would not be avoidable. E.g.

int *p;
...
#ifdef TESTERR
    p = (int*)n;
    (*p)++;  /* SegFault */
#endif

Let me know if this is what you intended.

Answer 2

To answer your question, "I am asking if it is possible to do this [...] and if not, an explanation of why the standard prevents this."

For the first part: const is the only tool that C gives you for this purpose.

If your use-case permits it you could build an iterator-like struct and supporting functions to provide element-by-element access while protecting the actual storage. (But if that fits, you could also just change the API to a int get_len()/char get_char(int idx) interface)

For the second part: per ISO 9899:201x draft n1570:

6.5.16.1 Simple assignment

1 One of the following shall hold:

[...]

— the left operand has atomic, qualified, or unqualified pointer type, and (considering the type the left operand would have after lvalue conversion) both operands are pointers to qualified or unqualified versions of compatible types, and the type pointed to by the left has all the qualifiers of the type pointed to by the right;

This is the case that covers assignment to a pointer (when neither operand to the assignment is void *), and it clearly requires the type pointed to by the left side to have all of the qualifiers of the type pointed to by the right side. With const being one such qualifier, your compiler that doesn't even warn about an assignment that ignores const is just not implementing the spec.

(For clarity, the spec uses "qualified pointer" to mean <type> * <qualifier>. It uses "qualifier on the type pointed to" to mean <qualifier> <type> *.)

[Editorial comment: I would hazard a guess that the compiler that doesn't even warn is targeted toward embedded development. Embedded developers seem to put up with abysmal tools regularly.]

Answer 3

The problem is your declaration of buf in main:

int *buf;

Just change it to:

const int *buf;

That should take care of the warnings.