SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 40

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 41

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added exceptions

...

These two requirements can be counter-intuitive when expressions contain side-effects. Evaluation of the operands proceeds left-to-right, without regard to operator precedence rules and indicative parentheses; evaluation of the operators, however, obeys precedence rules and parentheses. Best practice is to avoid using expressions that contain multiple side-effects. When used, such expressions must be carefully structured to respect the left-to-right evaluation order

It is recommended that any expression should never write to memory that it subsequently reads, and it should never write to any memory twice. Memory writing and reading can occur directly in the expression from assignments, or indirectly through side-effects in functions called in the expression.

Noncompliant Code Example (order of evaluation)

This noncompliant code example shows how side-effects in expressions can lead to unanticipated outcomes. The programmer intends to write access control logic based on different threshold levels. Each user has a rating that must be above the threshold to be granted access. As shown, a simple function can calculate the rating. The get() method is expected to return a non-zero factor for users who are authorized, and a zero value for those who are unauthorized.

...

Code Block
bgColor#FFcccc
class BadPrecedence {
  public static void main(String[] args) {
    int number = 17;
    int[] threshold = new int[20];
    threshold[0] = 10;
    number = (number > threshold[0]? 0 : -2) + ((31 * ++number) * (number = get()));
    // ... 
    if(number == 0) {
      System.out.println("Access granted");
    } else {
      System.out.println("Denied access"); // number = -2
    }
  }
  public static int get() {
    int number = 0;
    // Assign number to non zero value if authorized else 0
    return number;
  }
}

Compliant Solution

Noncompliant Code Example (order of evaluation)

This noncompliant code example This compliant solution reorders the previous expression so that the left-to-right evaluation order of the operands corresponds with the programmer's intent.

Code Block
bgColor#ccccff
number = ((31 * ++number) * (number=get())) + (number > threshold[0]? 0 : -2);

Although this solution solves the problemcode performs as expected, it continues to represent still represents poor practice by using expressions with more than one side-effect. It also depends on the left-right ordering for evaluation of side-effects, by writing to number three times.

Compliant Solution (order of evaluation)

This compliant solution uses equivalent code with no side-effects. It performs only one write, to number. The resulting expression can be reordered without concern for the evaluation order of the component expressions, making the code easier to understand and maintain.

Code Block
bgColor#ccccff
final int authnum = get();
number = ((31 * (number + 1)) * authnum) + (authnum > threshold[0]? 0 : -2);

Exceptions

EXP09:EX1: The postincrement and postdecrement operators (++ and --) assign a new value to a variable and then subsequently read it. These are well-understood and are an exception to the rule against reading memory that was written in the same expression.

EXP09:EX2: The logical operators || and && have well-understood short-circuit semantics, and so expressions involving these operators may violate this rule. Consider the following code:

Code Block
bgColor#ccccff

InputStream in;
int i;
// Skip one char, process next
while ((i = in.read()) != -1 && (i = in.read()) != -1) {
  // ...
}

This code is compliant, because while the overall conditional expression violates the rule, the sub-expressions on either side of the && operator do not. Each has exactly one assignment and one side-effect (the reading of a character from in).

Risk Assessment

Failure to understand the evaluation order of expressions containing side effects can result in unexpected output.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

EXP09-J

low

unlikely

medium

P2

L3

Automated Detection

Detection of all expressions involving both side-effects and also multiple operator precedence levels is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings could be useful.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

C Coding Standard: EXP30-C. Do not depend on order of evaluation between sequence points

C++ Coding Standard: EXP30-CPP. Do not depend on order of evaluation between sequence points

Bibliography

Wiki Markup
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 15.7|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.7] "Evaluation Order" and [15.7.3|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.7.3] "Evaluation Respects Parentheses and Precedence"

...