Page History

...

Providing an expression that appears to produce side effects may be misleading to programmers who are not aware that these expressions are not evaluated, and in the case of a VLA used in sizeof, have unspecified results. As a result, programmers may make invalid assumptions about program state, leading to errors and possible software vulnerabilities.

This rule is similar to PRE31-C. Do not perform Avoid side effects in arguments to unsafe macros.

Noncompliant Code Example (sizeof)

In this noncompliant code example, the expression a++ is not evaluated:

...

Consequently, the value of a after b has been initialized is 14.

Compliant Solution (sizeof)

In this compliant solution, the variable a is incremented outside of the sizeof operation:

void func(void) {
  int a = 14;
  int b = sizeof(a);
  ++a;
}

Noncompliant Code Example (sizeof, VLA)

In this noncompliant code example, the expression ++n in the initialization expression of a must be evaluated because its value affects the size of the VLA operand of the sizeof operator. However, in the initialization expression of b, the expression ++n % 1 evaluates to 0. This means that the value of n does not affect the result of the sizeof operator. Consequently, it is unspecified whether or not n will be incremented when initializing b.

#include <stddef.h>
 
void f(size_t n) {
  /* n must be incremented */ 
  size_t a = sizeof(int[++n]);
 
  /* n need not be incremented */
  size_t b = sizeof(int[++n % 1 + 1]);
  
  /* ... */
}

Compliant Solution (sizeof, VLA)

This compliant solution avoids changing the value of the variable n used in each sizeof expression and instead increments n safely afterwards:

#include <stddef.h>
 
void f(size_t n) {
  size_t a = sizeof(int[n + 1]);
  ++n;

  size_t b = sizeof(int[n % 1 + 1]);
  ++n;
  /* ... */
}

Noncompliant Code Example (_Generic)

This noncompliant solution attempts to modify a variable's value as part of the _Generic association list. The user may have expected the value of a to be 2 because the type of the variable is int, but because _Generic does not evaluate its operands, the the value of a is not modified.

#define S(val) _Generic(val, int : val = 2, \
                             short : val = 3, \
                             default : val = 1)
void func(void) {
  int a = 0;
  S(a);
}

Compliant Solution (_Generic)

This compliant solution uses the result of the _Generic operator to assign the correct value to a.

#define S(val) _Generic(val, int : 2, \
                             short : 3, \
                             default : 1)
void func(void) {
  int a = 0;
  a = S(a);
} 

Noncompliant Code Example (_Alignof)

This noncompliant code example attempts to modify a variable while getting its default alignment value. The user may have expected val to be incremented as part of the _Alignof expression, but because _Alignof does not evaluate its operand, val is unchanged.

#include <stddef.h>
 
void func(void) {
  int val = 0;
 
  /* ... */
 
  size_t align = _Alignof(++val);
 
  /* ... */
}

Compliant Solution (_Alignof)

 The compliant solution moves the expression out of the _Alignof operator.

#include <stddef.h>
void func(void) {
  int val = 0;
 
  /* ... */
 
  ++val;
  int align = _Alignof(val);
 
  /* ... */
}

Risk Assessment

If expressions that appear to produce side effects are supplied to an operator that does not evaluate its operands, the results may be different than expected. Depending on how this result is used, it can lead to unintended program behavior.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...