Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Some operators do not evaluate their operands beyond the type information the operands provide. When using one of these operators, do not pass an operand that would otherwise yield a side effect since the side effect will not be generated.

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. If   In most cases, the operand is not evaluated.  A possible exception is when the type of the operand is not a variable length array type (VLA); then the expression is evaluated. When part of the operand of the sizeof operator is a VLA type and when changing the value of the VLA's size expression would not affect the result of the operator, it is unspecified whether or not the size expression is evaluated. (See unspecified behavior 22.)

The operand passed to_Alignof is never evaluated, despite not being an expression. For instance, if the operand is a VLA type and the VLA's size expression contains a side effect, that side effect is never evaluated.

The operand used in the controlling expression of a _Generic selection expression is never evaluated.

Providing an expression that appears to produce side effects may be misleading to programmers who are not aware that these expressions are not evaluated.

Non-Compliant Code Example

, and in the case of a VLA used in sizeof, have unspecified results. As a result, programmers may make invalid assumptions about program state, leading to errors and possible software vulnerabilities.

This rule is similar to PRE31-C. Avoid side effects in arguments to unsafe macros.

Noncompliant Code Example (sizeof)

In this noncompliant code example, the expression a++ is not evaluated:

Code Block
bgColor#FFcccc
langc
#include <stdio.h>
 
void func(void) {
  int a = 14;
  int b = sizeof(a++);
  printf("%d, %d\n", a, b);
}

Consequently, the value of a In this example, the variable a will still have a value 14 after b has been initialized is 14.

Compliant Solution (sizeof)

In this compliant solution, the variable a is incremented outside of the sizeof operation:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
void func
int main(void) {
  int a = 14;
  int b = sizeof(a);
  a++ )a;
  printf("%d, %d\n", a, b);
}

Noncompliant Code Example (sizeof, VLA)

In this noncompliant code example, the expression ++n in the initialization expression of a must be evaluated because its value affects the size of the VLA operand of the sizeof operator. However, in the initialization expression of b, the expression ++n % 1 evaluates to 0. This means that the value of n does not affect the result of the sizeof operator. Consequently, it is unspecified whether or not n will be incremented when initializing b.

Code Block
bgColor#FFcccc
langc
#include <stddef.h>
#include <stdio.h>
  
void f(size_t n) {
  /* n must be incremented */ 
  size_t a = sizeof(int[++n]);
 
  /* n need not be incremented */
  size_t b = %d, %d. sizeof(int[++n % 1 + 1]);

  printf("%zu, %zu, %zu\n", a, b, n);
  /* ... /* prints a, b = 14, 4. */
  return 0;
}

The expression a++ is not evaluated. Consequently, side effects in the expression are not executed.

Implementation Specific Details

This example compiles cleanly under Microsoft Visual Studio 2005 Version 8.0, with the /W4 option.

Priority: P4 Level: L3

If the object really is constant, the compiler may have put it in ROM or write-protected memory. Trying to modify such an object may lead to a program crash. This could allow an attacker to mount a denial-of-service attack.

Component

Value

Severity

1 (low)

Likelihood

2 (probable)

Remediation cost

2 (medium)

References

*/
}

Compliant Solution (sizeof, VLA)

This compliant solution avoids changing the value of the variable n used in each sizeof expression and instead increments n safely afterwards:

Code Block
bgColor#ccccFF
langc
#include <stddef.h>
#include <stdio.h>
  
void f(size_t n) {
  size_t a = sizeof(int[n + 1]);
  ++n;

  size_t b = sizeof(int[n % 1 + 1]);
  ++n;
  printf("%zu, %zu, %zu\n", a, b, n);
  /* ... */
}

Noncompliant Code Example (_Generic)

This noncompliant code example attempts to modify a variable's value as part of the _Generic selection control expression. The programmer may expect that a is incremented, but because _Generic does not evaluate its control expression, the value of a is not modified.

Code Block
bgColor#FFcccc
langc
#include <stdio.h>

#define S(val) _Generic(val, int : 2, \
                             short : 3, \
                             default : 1)
void func(void) {
  int a = 0;
  int b = S(a++);
  printf("%d, %d\n", a, b);
}

Compliant Solution (_Generic)

In this compliant solution, a is incremented outside of the _Generic selection expression:

Code Block
bgColor#ccccFF
langc
#include <stdio.h>

#define S(val) _Generic(val, int : 2, \
                             short : 3, \
                             default : 1)
void func(void) {
  int a = 0;
  int b = S(a);
  ++a;
  printf("%d, %d\n", a, b);
} 

Noncompliant Code Example (_Alignof)

This noncompliant code example attempts to modify a variable while getting its default alignment value. The user may have expected val to be incremented as part of the _Alignof expression, but because _Alignof does not evaluate its operand, val is unchanged.

Code Block
bgColor#FFcccc
langc
#include <stdio.h>
 
void func(void) {
  int val = 0; 
  /* ... */ 
  size_t align = _Alignof(int[++val]);
  printf("%zu, %d\n", align, val);
  /* ... */
}

Compliant Solution (_Alignof)

 This compliant solution moves the expression out of the _Alignof operator:

Code Block
bgColor#ccccFF
langc
#include <stdio.h>
void func(void) {
  int val = 0; 
  /* ... */ 
  ++val;
  size_t align = _Alignof(int[val]);
  printf("%zu, %d\n", align, val);
  /* ... */
}

Exceptions

EXP44-C-EX1: Reading a volatile-qualified value is a side-effecting operation. However, accessing a value through a volatile-qualified type does not guarantee side effects will happen on the read of the value unless the underlying object is also volatile-qualified. Idiomatic reads of a volatile-qualified object are permissible as an operand to a sizeof()_Alignof(), or _Generic expression, as in the following example:

Code Block
bgColor#ccccFF
langc
void f(void) {
  int * volatile v;
  (void)sizeof(*v);
}

Risk Assessment

If expressions that appear to produce side effects are supplied to an operator that does not evaluate its operands, the results may be different than expected. Depending on how this result is used, it can lead to unintended program behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP44-C

Low

Unlikely

Low

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

alignof-side-effect
generic-selection-side-effect
sizeof

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP44
Clang
Include Page
Clang_V
Clang_V
-Wunevaluated-expressionCan diagnose some instance of this rule, but not all (such as the _Alignof NCCE).
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.STRUCT.SE.SIZEOF
LANG.STRUCT.SE.CGEN
Side effects in sizeof
Side Effects in C Generic Selection
Compass/ROSE




Coverity
Include Page
Coverity_V
Coverity_V

MISRA C 2004 Rule 12.3

Partially implemented

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.EXP06

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3307
Klocwork
Include Page
Klocwork_V
Klocwork_V
MISRA.SIZEOF.SIDE_EFFECT
LDRA tool suite
Include Page
LDRA_V
LDRA_V

54 S, 653 S

Fully implemented

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP44-a
CERT_C-EXP44-b

Object designated by a volatile lvalue should not be accessed in the operand of the sizeof operator
The function call that causes the side effect shall not be the operand of the sizeof operator

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

9006

Partially supported: reports use of sizeof with an expression that would have side effects

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP44-C


Checks for situations when side effects of specified expressions are ignored (rule fully covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V568
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V

alignof-side-effect
generic-selection-side-effect
sizeof

Fully checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT CEXP52-CPP. Do not rely on side effects in unevaluated operandsPrior to 2018-01-12: CERT: Unspecified Relationship


...

Image Added Image Added Image Added

...