EXP32-C. Do not access a volatile object through a nonvolatile reference
An object that has volatile-qualified type may be modified in ways unknown to the implementation or have other unknown side effects . Referencing a volatile object by using a non-volatile lvalue is undefined behavior . The C Standard, 6.7.4 paragraph 7 [ ISO/IEC 9899:2024 ], states
If an attempt is made to refer to an object defined with a volatile-qualified type through use of an lvalue with non-volatile-qualified type, the behavior is undefined.
See undefined behavior 62 .
Noncompliant Code Example
In this noncompliant code example, a volatile object is accessed through a non-volatile-qualified reference, resulting in undefined behavior 62 :
#include <stdio.h>
void func(void) {
static volatile int **ipp;
static int *ip;
static volatile int i = 0;
printf("i = %d.\n", i);
ipp = &ip; /* May produce a warning diagnostic */
ipp = (int**) &ip; /* Constraint violation; may produce a warning diagnostic */
*ipp = &i; /* Valid */
if (*ip != 0) { /* Valid */
/* ... */
}
}
The assignment ipp = &ip is not safe because it allows the valid code that follows to reference the value of the volatile object i through the non-volatile-qualified reference ip . In this example, the compiler may optimize out the entire if block because *ip != 0 must be false if the object to which ip points is not volatile.
Implementation Details
This example compiles without warning on Microsoft Visual Studio 2013 when compiled in C mode ( /TC ) but causes errors when compiled in C++ mode ( /TP ).
GCC 4.8.1 generates a warning but compiles successfully.
Compliant Solution
In this compliant solution, ip is declared volatile :
#include <stdio.h>
void func(void) {
static volatile int **ipp;
static volatile int *ip;
static volatile int i = 0;
printf("i = %d.\n", i);
ipp = &ip;
*ipp = &i;
if (*ip != 0) {
/* ... */
}
}
Risk Assessment
Accessing an object with a volatile-qualified type through a reference with a non-volatile-qualified type is undefined behavior 62 .
| Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
| EXP32-C | Low | Likely | No | Yes | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 25.10 | pointer-qualifier-cast-volatile pointer-qualifier-cast-volatile-implicit | Fully checked |
| Axivion Bauhaus Suite | 7.2.0 | CertC-EXP32 | Fully implemented |
| Clang | 3.9 | -Wincompatible-pointer-types-discards-qualifiers | |
| Compass/ROSE | |||
| Coverity | 2017.07 | MISRA C 2012 Rule 11.8 | Implemented |
| Cppcheck Premium | 24.11.0 | premium-cert-exp32-c | |
| GCC | 4.3.5 | Can detect violations of this rule when the | |
| Helix QAC | 2025.2 | C0312, C0562, C0563, C0673, C0674 | Fully implemented |
| Klocwork | 2025.2 | CERT.EXPR.VOLATILE.ADDR | Fully implemented |
| LDRA tool suite | 9.7.1 | 344 S | Partially implemented |
| Parasoft C/C++test | 2025.2 | CERT_C-EXP32-a | A cast shall not remove any 'const' or 'volatile' qualification from the type of a pointer or reference |
| Polyspace Bug Finder | R2025b | Checks for cast to pointer that removes const or volatile qualification (rule fully covered) | |
| RuleChecker | 25.10 | pointer-qualifier-cast-volatile pointer-qualifier-cast-volatile-implicit | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website .
Related Guidelines
Key here (explains table format and definitions)
| Taxonomy | Taxonomy item | Relationship |
| ISO/IEC TR 24772:2013 | Pointer Casting and Pointer Type Changes [HFC] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Type System [IHN] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 11.8 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C | EXP55-CPP. Do not access a cv-qualified object through a cv-unqualified type | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
| [ ISO/IEC 9899:2024 ] | 6.7.4, "Type Qualifiers" |
