...
According to C99, Section 6.5, "Expressions":
Except as specified later (for the function-call
(),&&,||,?:, and comma operators), the order of evaluation of subexpressions and the order in which side effects take place are both unspecified.
...
This recommendation is related to guideline EXP30-C. Do not depend on order of evaluation between sequence points, but focuses on behavior that is nonportable or potentially confusing.
...
The order of evaluation of the function designator, the actual arguments, and subexpressions within the actual arguments is are unspecified, but there is a sequence point before the actual call.
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP10-C | medium | probable | medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||
|---|---|---|---|---|---|---|---|
|
|
|
| ||||
|
...
|
|
...
|
One could also violate the recommendation using dynamic memory passed to both functions, but that would be extremely difficult to detect using static analysis.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
Related Guidelines
This rule appears in the C++ Secure Coding Standard as : EXP10-CPP. Do not depend on the order of evaluation of subexpressions or the order in which side effects take place.
Bibliography
| Wiki Markup |
|---|
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.5, "Expressions," Section 6.5.16, "Assignment operators," Section 6.5.2.2, "Function calls," and Section 6.7.8, "Initialization" \[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "JCW Operator precedence/Order of Evaluation" and "SAM Side-effects and Order of Evaluation" \[[MISRA 042004|AA. Bibliography#MISRA 04]\] Rule 12.2 |
...