SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 173

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Caden Milne

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated references from C11->C23

...

The C Standard, 6.5, paragraph 2 [ISO/IEC 9899:20112024], states

If a side effect on a scalar object is unsequenced relative to either a different side effect on the same scalar object or a value computation using the value of the same scalar object, the behavior is undefined. If there are multiple allowable orderings of the subexpressions of an expression, the behavior is undefined if such an unsequenced side effect occurs in any of the orderings.

This requirement must be met for each allowable ordering of the subexpressions of a full expression; otherwise, the behavior is undefined. (See undefined behavior 35.)

...

Furthermore, Section 6.5.1617.1, paragraph 3 [ISO/IEC 9899:2024] says (regarding assignment operations):

The side effect of updating the stored value of the left operand is sequenced after the value computations of the left and right operands. 

This rule means that statements such as

...

Not all instances of a comma in C code denote a usage of the comma operator. For example, the comma between arguments in a function call is not a sequence point. However, according to the C Standard, 6.5.23.23, paragraph 10 8 [ISO/IEC 9899:20112024]

Every evaluation in the calling function (including other function calls) that is not otherwise specifically sequenced before or after the execution of the body of the called function is indeterminately sequenced with respect to the execution of the called function.

This rule means that the order of evaluation for function call arguments is unspecified and can happen in any order.

...

PRQA QA-C_v

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

evaluation-order

multiple-volatile-accesses

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP30
Clang
Include Page
Clang_V
Clang_V
-WunsequencedDetects simple violations of this rule, but does not diagnose unsequenced function call arguments.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.STRUCT.SE.DEC
LANG.STRUCT.SE.INC
LANG.STRUCT.SE.INIT

Side Effects in Expression with Decrement
Side Effects in Expression with Increment
Side Effects in Initializer List

Compass/ROSE



Can detect simple violations of this rule. It needs to examine each expression and make sure that no variable is modified twice in the expression. It also must check that no variable is modified once, then read elsewhere, with the single exception that a variable may appear on both the left and right of an assignment operator

Coverity

Include Page
Coverity_V
Coverity_V

EVALUATION_ORDER

Can detect the specific instance where a statement contains multiple side effects on the same value with an undefined evaluation order because, with different compiler flags or different compilers or platforms, the statement may behave differently

Cppcheck

Include Page
Cppcheck_V
Cppcheck_V

unknownEvaluationOrderPartially implemented
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

unknownEvaluationOrderPartially implemented

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.EXP30

Fully implemented

GCC
Include Page
GCC_V
GCC_V


Can detect violations of this rule when the -Wsequence-point flag is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0400, C0401, C0402, C0403, C0404, C0405Fully implemented
Klocwork
Include Page
Klocwork_V
Klocwork_V

PORTING.VAR.EFFECTS
MISRA.INCR_DECR.OTHER

Fully implemented
LDRA tool suite
Include Page
LDRA_V
LDRA_V

35 D, 1 Q, 9 S, 30 S, 134 S

Partially implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP30-a
CERT_C-EXP30-b
CERT_C-EXP30-c
CERT_C-EXP30-d

The value of an expression shall be the same under any order of evaluation that the standard permits
Don't write code that depends on the order of evaluation of function arguments
Don't write code that depends on the order of evaluation of function designator and function arguments
Don't write code that depends on the order of evaluation of expression that involves a function call

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

564

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP30-CChecks for situations when expression value depends on order of evaluation or of side effects (rule partially covered)PRQA QA-C
Include Page

PRQA QA-C_v

0400, 0401, 0402,

0403, 0404, 0405

Fully implemented


PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V532, V567
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V

evaluation-order

multiple-volatile-accesses

Fully checked
Splint
Include Page
Splint_V
Splint_V



SonarQube C/C++ Plugin
Include Page
SonarQube C/C++ Plugin_V
SonarQube C/C++ Plugin_V
IncAndDecMixedWithOtherOperators
TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

separated

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

Bibliography

[ISO/IEC 9899:2011]

Annex C, "Sequence Points"

[ISO/IEC 9899:2024]

6.5, "Expressions"

6.5.

2

17.

2

1, "

Function Calls

Assignment Operators"

Annex C

6.5.3.3, "

Sequence Points

Function Calls"

[Saks 2007]
[Summit 2005]Questions 3.1, 3.2, 3.3, 3.3b, 3.7, 3.8, 3.9, 3.10a, 3.10b, and 3.11

...