According to the Java Language Specification Section 15.7 "Evaluation Order":
The Java programming language guarantees that the operands of operators appear to be evaluated in a specific evaluation order, namely, from left to right.
Section 15.7.3 "Evaluation Respects Parentheses and Precedence", on the other hand states:
Java programming language implementations must respect the order of evaluation as indicated explicitly by parentheses and implicitly by operator precedence.
These two requirements can be counter intuitive when expressions contain side-effects. Evaluation of the operands proceeds left-to-right, without regard to operator precedence rules and indicative parentheses; evaluation of the operators, however, obeys precedence rules and parentheses. Best practice is to avoid using expressions that contain multiple side-effects. When used, such expressions must be carefully structured to respect the left-to-right evaluation order.
Noncompliant Code Example
This noncompliant code example shows how side-effects in expressions can lead to unanticipated outcomes. The programmer intends to write access control logic based on different threshold levels. Each user has a rating that must be above the threshold to be granted access. As shown, a simple function can calculate the rating. The get() method is expected to return a non-zero factor for users who are authorized, and a zero value for those who are unauthorized.
In this case, the programmer expects the rightmost subexpression to evaluate first because the * operator has a higher precedence than the + operator. The parentheses reinforce this belief. These ideas lead to the incorrect conclusion that the right hand side evaluates to zero whenever the get() method returns zero. The programmer expects number to be assigned 0 because of the rightmost number = get() subexpression. Consequently, the test in the left hand subexpression is expected to reject the unprivileged user because the rating value (number) is below the threshold of 10.
However, the program grants access to the unauthorized user, because evaluation of the side-effect infested subexpressions follows the left to right ordering rule.
class BadPrecedence {
public static void main(String[] args) {
int number = 17;
int[] threshold = new int[20];
threshold[0] = 10;
number = (number > threshold[0]? 0 : -2) + ((31 * ++number) * (number = get()));
// ...
if(number == 0) {
System.out.println("Access granted");
} else {
System.out.println("Denied access"); // number = -2
}
}
public static int get() {
int number = 0;
// Assign number to non zero value if authorized else 0
return number;
}
}
Compliant Solution
This compliant solution reorders the previous expression so that the left-to-right evaluation order of the operands corresponds with the programmer's intent.
number = ((31 * ++number) * (number=get())) + (number > threshold[0]? 0 : -2);
Although this solution solves the problem, it continues to represent poor practice, by using expressions with more than one side-effect. It also depends on the left-right ordering for evaluation of side-effects.
Compliant Solution
This compliant solution uses equivalent code with no side-effects. The resulting expression can be reordered without concern for the evaluation order of the component expressions, making the code easier to understand and maintain.
final int authnum = get(); number = ((31 * (number + 1)) * authnum) + (authnum > threshold[0]? 0 : -2);
Risk Assessment
Failure to understand the evaluation order of expressions containing side effects can result in unexpected output.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
EXP09-J |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
Detection of all expressions involving both side-effects and also multiple operator precedence levels is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings may be useful.
Other Languages
This guideline appears in the C Coding Standard as EXP30-C. Do not depend on order of evaluation between sequence points.
This guideline appears in the C++ Coding Standard as EXP30-CPP. Do not depend on order of evaluation between sequence points.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[JLS 2005]] Section 15.7 "Evaluation Order" and 15.7.3 "Evaluation Respects Parentheses and Precedence"
EXP08-J. Understand the evaluation of expressions containing non-short-circuit operators 04. Expressions (EXP) EXP10-J. Avoid side effects in assertions