Evaluation of an expression may produce side effects. At specific points during execution called sequence points, all side effects of previous evaluations have completed and no side effects of subsequent evaluations have yet taken place.
According to C99:
Between the previous and next sequence point an object can only have its stored value modified once by the evaluation of an expression. Additionally, the prior value can be read only to determine the value to be stored.
This requirement must be met for each allowable ordering of the subexpressions of a full expression; otherwise the behavior is undefined.
This rule means that statements such as
i = i + 1; a[i] = i;
are allowed, while statements like
/* i is modified twice between sequence points */ i = ++i + 1; /* i is read other than to determine the value to be stored */ a[i++] = i;
are not.
Noncompliant Code Example
Programs cannot safely rely on the order of evaluation of operands between sequence points. In this noncompliant code example, the order of evaluation of the operands to the + operator is unspecified.
a = i + b[++i];
If i
was equal to 0 before the statement, the statement may result in the following outcome:
a = 0 + b[1];
Or it may result in the following outcome:
a = 1 + b[1];
Compliant Solution
These examples are independent of the order of evaluation of the operands and can only be interpreted in one way.
++i; a = i + b[i];
Or alternatively:
a = i + b[i+1]; ++i;
Noncompliant Code Example
The order of evaluation for function arguments is unspecified.
func(i++, i);
The call to func()
has undefined behavior because there are no sequence points between the argument expressions. The first (left) argument expression reads the value of i
(to determine the value to be stored) and then modifies i
. The second (right) argument expression reads the value of i
between the same pair of sequence points as the first argument, but not to determine the value to be stored in i
. This additional attempt to read the value of i
has undefined behavior.
Compliant Solution
This solution is appropriate when the programmer intends for both arguments to func()
to be equivalent.
i++; func(i, i);
This solution is appropriate when the programmer intends for the second argument to be one greater than the first.
j = i++; func(j, i);
Risk Assessment
Attempting to modify an object multiple times between sequence points may cause that object to take on an unexpected value. This can lead to unexpected program behavior.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP30-C |
medium |
probable |
medium |
P8 |
L2 |
Automated Detection
Splint Version 3.1.1 can detect violations of this rule.
GCC Compiler can detect violations of this rule when the -Wsequence-point
flag is used.
Compass/ROSE can detect simple violations of this rule. It needs to examine each expression and make sure that no variable is modified twice in the expression. Also no variable is modified once, and read elsewhere, with the single exception that a variable may appear on both the left and right of an assignment operator.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as EXP30-CPP. Do not depend on order of evaluation between sequence points.
References
[[ISO/IEC 9899:1999]] Section 5.1.2.3, "Program execution," Section 6.5, "Expressions," and Annex C, "Sequence points"
[[ISO/IEC PDTR 24772]] "JCW Operator precedence/Order of Evaluation" and "SAM Side-effects and order of evaluation"
[[MISRA 04]] Rule 12.1
[[Summit 05]] Questions 3.1, 3.2, 3.3, 3.3b, 3.7, 3.8, 3.9, 3.10a, 3.10b, and 3.11
[[Saks 07]]
03. Expressions (EXP) EXP31-C. Avoid side effects in assertions