Some operators do not evaluate their operands beyond the type information the operands provide. When using one of these operators, do not pass an operand that would otherwise yield a side effect since the side effect will not be generated.
The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. If . In most cases, the operand is not evaluated. A possible exception is when the type of the operand is not a variable length array type (VLA); then the expression is evaluated. When part of the operand of the sizeof operator is a VLA type and when changing the value of the VLA's size expression would not affect the result of the operator, it is unspecified whether or not the size expression is evaluated. (See unspecified behavior 22.)
The operand passed to_Alignof is never evaluated, despite not being an expression. For instance, if the operand is a VLA type and the VLA's size expression contains a side effect, that side effect is never evaluated.
The operand used in the controlling expression of a _Generic selection expression is never evaluated.
Providing an expression that appears to produce side effects may be misleading to programmers who are not aware that these expressions are not evaluated, and in the case of a VLA used in sizeof, have unspecified results. As a result, programmers may make invalid assumptions about program state, leading to errors and possible software vulnerabilities.
...
This rule is similar to PRE31-C. Avoid side effects in arguments to unsafe macros.
Noncompliant Code Example (sizeof)
In this noncompliant code example, the expression a++ is not evaluated:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void func(void) {
int a = 14;
int b = sizeof(a++);
printf("%d, %d\n", a, b);
} |
Consequently, the value of a variable a will still have a value 14 after b has been initialized is 14.
Compliant Solution (sizeof)
In this compliant solution, the variable a is incremented outside of the sizeof operation:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h> void func int main(void) { int a = 14; int b = sizeof(a); a++ )a; printf("%d, %d\n", a, b); } |
Noncompliant Code Example (sizeof, VLA)
In this noncompliant code example, the expression ++n in the initialization expression of a must be evaluated because its value affects the size of the VLA operand of the sizeof operator. However, in the initialization expression of b, the expression ++n % 1 evaluates to 0. This means that the value of n does not affect the result of the sizeof operator. Consequently, it is unspecified whether or not n will be incremented when initializing b.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stddef.h> #include <stdio.h> void f(size_t n) { /* n must be = %d, %d.incremented */ size_t a = sizeof(int[++n]); /* n need not be incremented */ size_t b = sizeof(int[++n % 1 + 1]); printf("%zu, %zu, %zu\n", a, b, n); /* ... /* prints a, b = 14, 4. */ return 0; } |
The expression a++ is not evaluated. Consequently, side effects in the expression are not executed.
Implementation Specific Details
This example compiles cleanly under Microsoft Visual Studio 2005 Version 8.0, with the /W4 option.
Priority: P3 Level: L3
Operands to the sizeof operator which contain side effects are unlikely to result in software vulnerabilties, but can also be easily remediated.
Component | Value |
|---|---|
Severity | 1 (low) |
Likelihood | 1 (unlikely) |
Remediation cost | 3 (low) |
References
*/
} |
Compliant Solution (sizeof, VLA)
This compliant solution avoids changing the value of the variable n used in each sizeof expression and instead increments n safely afterwards:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stddef.h>
#include <stdio.h>
void f(size_t n) {
size_t a = sizeof(int[n + 1]);
++n;
size_t b = sizeof(int[n % 1 + 1]);
++n;
printf("%zu, %zu, %zu\n", a, b, n);
/* ... */
}
|
Noncompliant Code Example (_Generic)
This noncompliant code example attempts to modify a variable's value as part of the _Generic selection control expression. The programmer may expect that a is incremented, but because _Generic does not evaluate its control expression, the value of a is not modified.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#define S(val) _Generic(val, int : 2, \
short : 3, \
default : 1)
void func(void) {
int a = 0;
int b = S(a++);
printf("%d, %d\n", a, b);
} |
Compliant Solution (_Generic)
In this compliant solution, a is incremented outside of the _Generic selection expression:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#define S(val) _Generic(val, int : 2, \
short : 3, \
default : 1)
void func(void) {
int a = 0;
int b = S(a);
++a;
printf("%d, %d\n", a, b);
} |
Noncompliant Code Example (_Alignof)
This noncompliant code example attempts to modify a variable while getting its default alignment value. The user may have expected val to be incremented as part of the _Alignof expression, but because _Alignof does not evaluate its operand, val is unchanged.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void func(void) {
int val = 0;
/* ... */
size_t align = _Alignof(int[++val]);
printf("%zu, %d\n", align, val);
/* ... */
} |
Compliant Solution (_Alignof)
This compliant solution moves the expression out of the _Alignof operator:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void func(void) {
int val = 0;
/* ... */
++val;
size_t align = _Alignof(int[val]);
printf("%zu, %d\n", align, val);
/* ... */
} |
Exceptions
EXP44-C-EX1: Reading a volatile-qualified value is a side-effecting operation. However, accessing a value through a volatile-qualified type does not guarantee side effects will happen on the read of the value unless the underlying object is also volatile-qualified. Idiomatic reads of a volatile-qualified object are permissible as an operand to a sizeof(), _Alignof(), or _Generic expression, as in the following example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
void f(void) {
int * volatile v;
(void)sizeof(*v);
} |
Risk Assessment
If expressions that appear to produce side effects are supplied to an operator that does not evaluate its operands, the results may be different than expected. Depending on how this result is used, it can lead to unintended program behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP44-C | Low | Unlikely | Low | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| alignof-side-effect | Fully checked | ||||||
| Axivion Bauhaus Suite |
| CertC-EXP44 | |||||||
| Clang |
| -Wunevaluated-expression | Can diagnose some instance of this rule, but not all (such as the _Alignof NCCE). | ||||||
| CodeSonar |
| LANG.STRUCT.SE.SIZEOF LANG.STRUCT.SE.CGEN | Side effects in sizeof Side Effects in C Generic Selection | ||||||
| Compass/ROSE | |||||||||
| Coverity |
| MISRA C 2004 Rule 12.3 | Partially implemented | ||||||
| CC2.EXP06 | Fully implemented | |||||||
| Helix QAC |
| C3307 | |||||||
| Klocwork |
| MISRA.SIZEOF.SIDE_EFFECT | |||||||
| LDRA tool suite |
| 54 S, 653 S | Fully implemented | ||||||
| Parasoft C/C++test |
| CERT_C-EXP44-a | Object designated by a volatile lvalue should not be accessed in the operand of the sizeof operator | ||||||
| PC-lint Plus |
| 9006 | Partially supported: reports use of sizeof with an expression that would have side effects | ||||||
| Checks for situations when side effects of specified expressions are ignored (rule fully covered) | ||||||||
| PVS-Studio |
| V568 | |||||||
| RuleChecker |
| alignof-side-effect | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C | EXP52-CPP. Do not rely on side effects in unevaluated operands | Prior to 2018-01-12: CERT: Unspecified Relationship |
...
...