EXP40-C. Do not modify constant objects
The C Standard, 6.7.4, paragraph 7 [ IS O/IEC 9899:2024 ], states
If an attempt is made to modify an object defined with a
const-qualified type through use of an lvalue with non-const-qualified type, the behavior is undefined.
See also undefined behavior 61 .
There are existing compiler implementations that allow const -qualified objects to be modified without generating a warning message.
Avoid casting away const qualification because doing so makes it possible to modify const -qualified objects without issuing diagnostics. (See EXP05-C. Do not cast away a const qualification and STR30-C. Do not attempt to modify string literals for more details.)
Noncompliant Code Example
This noncompliant code example allows a constant object to be modified:
const int **ipp;
int *ip;
const int i = 42;
void func(void) {
ipp = &ip; /* Constraint violation */
*ipp = &i; /* Valid */
*ip = 0; /* Modifies constant i (was 42) */
}
The first assignment is unsafe because it allows the code that follows it to attempt to change the value of the const object i .
Implementation Details
If ipp , ip , and i are declared as automatic variables, this example compiles without warning with Microsoft Visual Studio 2013 when compiled in C mode ( /TC ) and the resulting program changes the value of i . GCC 4.8.1 generates a warning but compiles, and the resulting program changes the value of i .
If ipp , ip , and i are declared with static storage duration, this program compiles without warning and terminates abnormally with Microsoft Visual Studio 2013, and compiles with warning and terminates abnormally with GCC 4.8.1.
Compliant Solution
The compliant solution depends on the intent of the programmer. If the intent is that the value of i is modifiable, then it should not be declared as a constant, as in this compliant solution:
int **ipp;
int *ip;
int i = 42;
void func(void) {
ipp = &ip; /* Valid */
*ipp = &i; /* Valid */
*ip = 0; /* Valid */
}
If the intent is that the value of i is not meant to change, then do not write noncompliant code that attempts to modify it.
Risk Assessment
Modifying constant objects through nonconstant references is undefined behavior 61 .
| Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
| EXP40-C | Low | Unlikely | Yes | No | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 25.10 | assignment-to-non-modifiable-lvalue pointer-qualifier-cast-const pointer-qualifier-cast-const-implicit write-to-constant-memory | Fully checked |
| Axivion Bauhaus Suite | 7.2.0 | CertC-EXP40 | |
| Coverity | 2017.07 | PW MISRA C 2004 Rule 11.5 | Implemented |
| Cppcheck Premium | 24.11.0 | premium-cert-exp40-c | |
| Helix QAC | 2025.2 | C0563 | |
| LDRA tool suite | 9.7.1 | 582 S | Fully implemented |
| Parasoft C/C++test | 2025.2 | CERT_C-EXP40-a | A cast shall not remove any 'const' or 'volatile' qualification from the type of a pointer or reference |
| Polyspace Bug Finder | R2025b | CERT C: Rule EXP40-C | Checks for write operations on const qualified objects (rule fully covered) |
| RuleChecker | 25.10 | assignment-to-non-modifiable-lvalue pointer-qualifier-cast-const pointer-qualifier-cast-const-implicit | Partially checked |
| Security Reviewer - Static Reviewer | 6.02 | C73 | Fully implemented |
| TrustInSoft Analyzer | 1.38 | mem_access | Exhaustively verified (see the compliant and the non-compliant example ). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website .
Related Guidelines
Key here (explains table format and definitions)
| Taxonomy | Taxonomy item | Relationship |
| CERT C Secure Coding Standard | EXP05-C. Do not cast away a const qualification | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | STR30-C. Do not attempt to modify string literals | Prior to 2018-01-12: CERT: Unspecified Relationship |
Bibliography
| [ ISO/IEC 9899:2024 ] | Subclause 6.7.4, "Type Qualifiers" |
