You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Next »

According to the Java Language Specification Section 15.7, "Evaluation Order"

The Java programming language guarantees that the operands of operators appear to be evaluated in a specific evaluation order, namely, from left to right.

JLS Section 15.7.3 "Evaluation Respects Parentheses and Precedence" adds:

Java programming language implementations must respect the order of evaluation as indicated explicitly by parentheses and implicitly by operator precedence.

These two requirements can be counter-intuitive when expressions contain side-effects. Evaluation of the operands proceeds left-to-right, without regard to operator precedence rules and indicative parentheses; evaluation of the operators, however, obeys precedence rules and parentheses.

It is recommended that any expression should never write to memory that it subsequently reads, and it should never write to any memory twice. Memory writing and reading can occur directly in the expression from assignments or indirectly through side-effects in functions called in the expression.

Noncompliant Code Example (Order of Evaluation)

This noncompliant code example shows how side-effects in expressions can lead to unanticipated outcomes. The programmer intends to write access control logic based on different threshold levels. Each user has a rating that must be above the threshold to be granted access. As shown, a simple function can calculate the rating. The get() method is expected to return a non-zero factor for users who are authorized, and a zero value for those who are unauthorized.

In this case, the programmer expects the rightmost subexpression to evaluate first because the * operator has a higher precedence than the + operator. The parentheses reinforce this belief. These ideas lead to the incorrect conclusion that the right hand side evaluates to zero whenever the get() method returns zero. The programmer expects number to be assigned 0 because of the rightmost number = get() subexpression. Consequently, the test in the left hand subexpression is expected to reject the unprivileged user because the rating value (number) is below the threshold of 10.

However, the program grants access to the unauthorized user because evaluation of the side-effect-infested subexpressions follows the left to right ordering rule.

class BadPrecedence {
  public static void main(String[] args) {
    int number = 17;
    int[] threshold = new int[20];
    threshold[0] = 10;
    number = (number > threshold[0]? 0 : -2) + ((31 * ++number) * (number = get()));
    // ... 
    if(number == 0) {
      System.out.println("Access granted");
    } else {
      System.out.println("Denied access"); // number = -2
    }
  }
  public static int get() {
    int number = 0;
    // Assign number to non zero value if authorized else 0
    return number;
  }
}

Noncompliant Code Example (Order of Evaluation)

This noncompliant code example reorders the previous expression so that the left-to-right evaluation order of the operands corresponds with the programmer's intent.

number = ((31 * ++number) * (number=get())) + (number > threshold[0]? 0 : -2);

Although this code performs as expected, it still represents poor practice, by writing to number three times in a single expression.

Compliant Solution (order of evaluation)

This compliant solution uses equivalent code with no side-effects. It performs only one write, to number. The resulting expression can be reordered without concern for the evaluation order of the component expressions, making the code easier to understand and maintain.

final int authnum = get();
number = ((31 * (number + 1)) * authnum) + (authnum > threshold[0]? 0 : -2);

Exceptions

EXP09:EX1: The postfix increment and postfix decrement operators (++ and --) assign a new value to a variable and then subsequently read it. These are well-understood and are an exception to the rule against reading memory that was written in the same expression.

EXP09:EX2: The logical operators || and && have well-understood short-circuit semantics, and so expressions involving these operators may violate this rule. Consider the following code:

InputStream in;
int i;
// Skip one char, process next
while ((i = in.read()) != -1 && (i = in.read()) != -1) {
  // ...
}

This code is compliant, because while the overall conditional expression violates the rule, the sub-expressions on either side of the && operator do not. Each has exactly one assignment and one side-effect (the reading of a character from in).

Risk Assessment

Failure to understand the evaluation order of expressions containing side effects can result in unexpected output.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

EXP09-J

low

unlikely

medium

P2

L3

Automated Detection

Detection of all expressions involving both side-effects and also multiple operator precedence levels is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings could be useful.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

C Coding Standard: EXP30-C. Do not depend on order of evaluation between sequence points

C++ Coding Standard: EXP30-CPP. Do not depend on order of evaluation between sequence points

Bibliography

[[JLS 2005]] Section 15.7 "Evaluation Order" and 15.7.3 "Evaluation Respects Parentheses and Precedence"


      04. Expressions (EXP)      EXP10-J. Avoid side-effects in assertions

  • No labels