C programmers commonly make errors regarding the precedence rules of C operators due to because of the unintuitive low-precedence levels of &
, |
, ^
, <<
, and >>
. Mistakes regarding precedence rules can be avoided by the suitable use of parentheses. Using parentheses defensively reduces errors and, if not taken to excess, makes the code more readable.
Section Subclause 6.5 of the C Standard defines the precedence of operation by the order of the subclauses.
...
Code Block | ||||
---|---|---|---|---|
| ||||
(x & 1) == 0 |
Exceptions
EXP00-C-EX1: Mathematical expressions that follow algebraic order do not require parentheses. For instance, in the expression
Code Block |
---|
x + y * z
|
the multiplication is performed before the addition by mathematical convention. Consequently, parentheses to enforce the algebraic order would be redundant:
...
Mistakes regarding precedence rules may cause an expression to be evaluated in an unintended way. This , which can lead to unexpected and abnormal program behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP00-C |
Low |
Probable |
Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Axivion Bauhaus Suite |
| CertC-EXP00 | Fully implemented | ||||||
CodeSonar |
| LANG.STRUCT.PARENS | Missing Parentheses | ||||||
| CC2.EXP00 | Fully implemented | |||||||
Helix QAC |
| C3389, C3390, C3391, C3392, C3393, C3394, C3395, C3396, C3397, C3398, C3399, C3400 | |||||||
Klocwork |
| CERT.EXPR.PARENS | |||||||
LDRA tool suite |
| 361 S, 49 S | Fully implemented |
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
Parasoft C/C++test |
| CERT_C-EXP00-a | Use parenthesis to clarify expression order if operators with precedence lower than arithmetic are used | ||||||
PC-lint Plus |
| 9050 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for possible unintended evaluation of expression because of operator precedence rules (rec. fully covered) | |||||||
PVS-Studio |
| V502, V593, V634, V648, V1104 | |||||||
SonarQube C/C++ Plugin |
| S864 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID EXP00-CPP. Use parentheses for precedence of operation |
ISO/IEC TR 24772:2013 | Operator Precedence/Order of Evaluation [JCW] |
MISRA C:2012 | Rule 12.1 (advisory) |
Bibliography
[Dowd 2006] | Chapter 6, "C Language Issues" ("Precedence," pp. 287–288) |
[ |
Kernighan 1988] |
[NASA-GB-1740.13] | Section 6.4.3, "C Language" |
...