The document ISO/IEC 24772-8 - Vulnerability descriptions for the programming language Fortran - currently under development by WG23, the ISO Work Group for Programming Language Vulnerabilities, recommends the following avoidance mechanisms related to parameter passing (clause 6.32), which includes argument aliasing:
6.32.2 Avoidance mechanisms for language users
Fortran software developers can avoid the vulnerability or mitigate its ill effects in the following ways. They can:
- Use the avoidance mechanisms of ISO/IEC 24772-1:2019 clause 6.32.5.
- Specify explicit interfaces by placing procedures in modules where the procedure is to be used in more than one scope, or by using internal procedures where the procedure is to be used in one scope only
- Specify argument intents to allow further checking of argument usage.
- Specify pure (or elemental) for procedures where possible for greater clarity of the programmer’s intentions.
- Use a compiler or other tools to automatically create explicit interfaces for external procedures.
- If available, use runtime checks against aliasing, at least during development.
- Ensure that the result of a function is assigned, potentially through the use of static analysis tools or explicit runtime checks.
The first bullet point refers to this clause:
6.32.5 Avoiding the vulnerability or mitigating its effects
Software developers can avoid the vulnerability or mitigate its ill effects in the following ways. They can:
- Use available mechanisms to label parameters as constants or with modes like in, out, or inout;
- When a choice of mechanisms is available, pass small simple objects using call by copy;
- When a choice of mechanisms is available and the computational cost of copying is tolerable, pass larger objects using call by copy;
- When the choice of language or the computational cost of copying forbids using call by copy, then take safeguards to prevent aliasing:
- Minimize side-effects of subprograms on non-local objects; when side-effects are coded, ensure that the affected non-local objects are not passed as parameters using call by reference;
- To avoid unintentional aliasing effects, avoid using expressions or function calls as actual arguments; instead assign the result of the expression to a temporary local and pass the local;
- Utilize tools or other forms of analysis to ensure that non-obvious instances of aliasing are absent:
- Perform reviews or analysis to determine that called subprograms fulfil their responsibilities to assign values to all output parameters.
Drafts of the documents can be found in the WG23 Document Register.