Some operators do not evaluate their operands beyond the type information they the operands provide. When using one of these operators, do not pass an operand which would otherwise yield a side effect, as the side effect will not be generated.
The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. In most cases, the operand is not evaluated. A possible exception is when the type of the operand is a variable length array type (VLA) the expression is evaluated. When part of the operand of the sizeof operator is a VLA type and when changing the value of the VLA's size expression would not affect the result of the operator, it is unspecified whether or not the size expression is evaluated (see unspecified behavior 22).
The operands operand passed to_Generic and _Alignof are Alignof is never evaluated. he operand used in the controlling expression of a _generic selection expression is never evaluated.
Providing an expression that appears to produce side effects may be misleading to programmers who are not aware that these expressions are not evaluated, and in the case of a VLA used in sizeof, have unspecified results. As a result, programmers may make invalid assumptions about program state, leading to errors and possible software vulnerabilities.
...
| Code Block |
|---|
|
#include <stdio.h>
void func(void) {
int a = 14;
int b = sizeof(a++);
printf("%d, %d\n", a, b);
} |
Consequently, the value of a after b has been initialized is 14.
...
| Code Block |
|---|
|
#include (stdio.h>
void func(void) {
int a = 14;
int b = sizeof(a);
++a;
printf("%d, %d\n", a, b);
} |
Noncompliant Code Example (sizeof, VLA)
...
| Code Block |
|---|
|
#include <stddef.h>
#include <stdio.h>
void f(size_t n) {
/* n must be incremented */
size_t a = sizeof(int[++n]);
/* n need not be incremented */
size_t b = sizeof(int[++n % 1 + 1]);
printf("%z, %z, %z\n", a, b, n);
/* ... */
}
|
...
| Code Block |
|---|
|
#include <stddef.h>
#include <stdio.h>
void f(size_t n) {
size_t a = sizeof(int[n + 1]);
++n;
size_t b = sizeof(int[n % 1 + 1]);
++n;
printf("%z, %z, %z\n", a, b, n);
/* ... */
}
|
Noncompliant Code Example (_Generic)
This noncompliant solution code example attempts to modify a variable's value as part of the _Generic association list selection control expression. The user may have expected the value of a to be 2 because the type of the variable is intprogrammer may expect that a is incremented, but because _Generic does not evaluate its operandscontrol expression, the the value of a is not modified.
| Code Block |
|---|
|
#include <stdio.h>
#define S(val) _Generic(val, int : val = 2, \
short : val = 3, \
default : val = 1)
void func(void) {
int a = 0;
int b = S(a++);
printf("%d, %d\n", a, b);
} |
Compliant Solution (_Generic)
This In this compliant solution uses the result of the _Generic operator to assign the correct value to a., a is incremented outside of the _Generic selection expression:
| Code Block |
|---|
|
#include <stdio.h>
#define S(val) _Generic(val, int : 2, \
short : 3, \
default : 1)
void func(void) {
int a = 0;
int ab = S(a);
++a;
printf("%d, %d\n", a, b);
} |
Noncompliant Code Example (_Alignof)
...
| Code Block |
|---|
|
#include <stddef<stdio.h>
void func(void) {
int val = 0;
/* ... */
size_t align = _Alignof(++val);
printf("%z, %d\n", align, val);
/* ... */
} |
Compliant Solution (_Alignof)
The This compliant solution moves the expression out of the _Alignof operator.:
| Code Block |
|---|
|
#include <stddef<stdio.h>
void func(void) {
int val = 0;
/* ... */
++val;
intsize_t align = _Alignof(val);
printf("%z, %d\n, align, val);
/* ... */
} |
Risk Assessment
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...
