SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 36

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 37

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

According to the Java Language Specification Section 15.7, "Evaluation Order":

The Java programming language guarantees that the operands of operators appear to be evaluated in a specific evaluation order, namely, from left to right.

On the other hand, Section 15.7.3, "Evaluation Respects Parentheses and Precedence" , on the other hand states:

Java programming language implementations must respect the order of evaluation as indicated explicitly by parentheses and implicitly by operator precedence.

These two requirements can be counter-intuitive when expressions contain side-effects. Evaluation of the operands proceeds left-to-right, without regard to operator precedence rules and indicative parentheses; evaluation of the operators, however, obeys precedence rules and parentheses. Best practice is to avoid using expressions that contain multiple side-effects. When used, such expressions must be carefully structured to respect the left-to-right evaluation order.

...

However, the program grants access to the unauthorized user , because evaluation of the side-effect-infested subexpressions follows the left to right ordering rule.

...

Although this solution solves the problem, it continues to represent poor practice , by using expressions with more than one side-effect. It also depends on the left-right ordering for evaluation of side-effects.

...

Detection of all expressions involving both side-effects and also multiple operator precedence levels is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings may could be useful.

Other Languages

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

This guideline appears in the C Coding Standard as : EXP30-C. Do not depend on order of evaluation between sequence points.This guideline appears in

the C++ Coding Standard as : EXP30-CPP. Do not depend on order of evaluation between sequence points.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[JLS 2005|AA. Bibliography#JLS 05]\] Section 15.7 "Evaluation Order" and 15.7.3 "Evaluation Respects Parentheses and Precedence"

...