...
It is recommended that any expression should never write to memory that it subsequently reads, and it should never write to any memory twice. Memory writing and reading can occur directly in the expression from assignments or indirectly through side-effects in functions called in the expression.
Noncompliant Code Example (Order of Evaluation)
This noncompliant code example shows how side-effects in expressions can lead to unanticipated outcomes. The programmer intends to write access control logic based on different threshold levels. Each user has a rating that must be above the threshold to be granted access. As shown, a simple function can calculate the rating. The get() method is expected to return a non-zero factor for users who are authorized, and a zero value for those who are unauthorized.
...
| Code Block | ||
|---|---|---|
| ||
class BadPrecedence {
public static void main(String[] args) {
int number = 17;
int[] threshold = new int[20];
threshold[0] = 10;
number = (number > threshold[0]? 0 : -2) + ((31 * ++number) * (number = get()));
// ...
if(number == 0) {
System.out.println("Access granted");
} else {
System.out.println("Denied access"); // number = -2
}
}
public static int get() {
int number = 0;
// Assign number to non zero value if authorized else 0
return number;
}
}
|
Noncompliant Code Example (Order of Evaluation)
This noncompliant code example reorders the previous expression so that the left-to-right evaluation order of the operands corresponds with the programmer's intent.
...
Although this code performs as expected, it still represents poor practice, by writing to number three times in a single expression.
Compliant Solution (order of evaluation)
This compliant solution uses equivalent code with no side-effects. It performs only one write, to number. The resulting expression can be reordered without concern for the evaluation order of the component expressions, making the code easier to understand and maintain.
| Code Block | ||
|---|---|---|
| ||
final int authnum = get(); number = ((31 * (number + 1)) * authnum) + (authnum > threshold[0]? 0 : -2); |
Exceptions
EXP09:EX1: The postfix increment and postfix decrement operators (++ and --) assign a new value to a variable and then subsequently read it. These are well-understood and are an exception to the rule against reading memory that was written in the same expression.
...
This code is compliant, because while the overall conditional expression violates the rule, the sub-expressions on either side of the && operator do not. Each has exactly one assignment and one side-effect (the reading of a character from in).
Risk Assessment
Failure to understand the evaluation order of expressions containing side effects can result in unexpected output.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP09-J | low | unlikely | medium | P2 | L3 |
Automated Detection
Detection of all expressions involving both side-effects and also multiple operator precedence levels is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings could be useful.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
C Coding Standard: EXP30-C. Do not depend on order of evaluation between sequence points
C++ Coding Standard: EXP30-CPP. Do not depend on order of evaluation between sequence points
Bibliography
| Wiki Markup |
|---|
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 15.7|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.7] "Evaluation Order" and [15.7.3|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.7.3] "Evaluation Respects Parentheses and Precedence" |
...