SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 54 Next »

Programmers frequently make errors regarding the precedence of operators due to the unintuitive low-precedence levels of &, |, ^, <<, and >>. Avoid mistakes regarding precedence through the suitable use of parentheses; this also improves code readability, unless taken to excess. The precedence of operations by the order of the subclauses are defined in the Java Tutorials [[Tutorials 2008]].

Although the guideline EXP09-J. Do not depend on operator precedence while using expressions containing side-effects advises against depending on parentheses for specifying evaluation order, it applies only to expressions that contain side-effects.

Noncompliant Code Example

The intent of the expression in this noncompliant code example is to add the variable OFFSET to the result of the bitwise AND between x and MASK.

public static final int MASK = 1337;
public static final int OFFSET = -1337;

public static int computeCode(int x) {
  return x & MASK + OFFSET;
}

According to the operator precedence guidelines, the expression is parsed as the following:

x & (MASK + OFFSET)

This expression gets evaluated, as shown below, resulting in the value 0.

x & (1337 - 1337)

Compliant Solution

This compliant solution uses parentheses to ensure that the expression evaluates as intended.

public static final int MASK = 1337;
public static final int OFFSET = -1337;

public static int computeCode(int x) {
  return (x & MASK) + OFFSET;
}

Exceptions

EXP00-EX1: Parentheses may be omitted from mathematical expressions that follow conventional algebraic order. For instance, consider the expression:

x + y * z

By mathematical convention, multiplication is performed before addition; parentheses are redundant in this case.

x + (y * z)

Risk Assessment

Mistakes regarding precedence guidelines can cause an expression to be evaluated in an unintended way. This can lead to unexpected and abnormal program behavior.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

EXP06-J

low

probable

medium

P4

L3

Automated Detection

Detection of all expressions using low-precedence operators without parentheses is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings could be useful.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

C Coding Standard: EXP00-C. Use parentheses for precedence of operation

C++ Secure Coding Standard: EXP00-CPP. Use parentheses for precedence of operation

Bibliography

[[ESA 2005]] Rule 65: Use parentheses to explicitly indicate the order of execution of numerical operators
[[Tutorials 2008]] Expressions, Statements, and Blocks, Operators

EXP05-J. Be aware of integer promotions in binary operators      04. Expressions (EXP)      EXP07-J. Be aware of the short-circuit behavior of the conditional AND and OR operators

  • No labels