 
                            Invoking getc() and putc() with stream arguments that have side effects may cause unexpected results because these functions may be implemented as macros and the stream arguments to these macros may be evaluated more than once.
This does not apply to the character argument in putc(), which is guaranteed to be evaluated exactly once.
Non-Compliant Code Example: getc()
This code calls the getc() function with an expression as the stream argument. If getc() is implemented as a macro, the file may be opened several times (see FIO31-C. Do not simultaneously open the same file multiple times).
FILE *fptr;
int c = getc(fptr = fopen(file_name, "r"));
if (c == EOF) {
  /* Handle Error */
}
This non-compliant code example also violaties FIO33-C. Detect and handle input output errors resulting in undefined behavior.
Compliant Solution: getc()
In this compliant solution, getc() is no longer called with an expression as its argument.
FILE *fptr;
int c;
if ((fptr = fopen(file_name, "r")) == NULL) {
  /* Handle Error */
}
if ((c = getc(fptr)) == EOF) {
  /* Handle Error */
}
Non-Compliant Code Example: putc()
In this non-compliant example, putc() is called with an expression as the stream argument. If putc() is implemented as a macro, the expression could be evaluated several times within the macro expansion of putc() with unintended results.
FILE *fptr = NULL;
int c = 'a';
while (c <= 'z') {
  if (putc(c++, fptr ? fptr : (fptr = fopen(file_name, "w")) == EOF) {
    /* Handle Error */
  }
}
If the putc() macro evaluates its stream argument multiple times, this might still seem safe, as the ?: operator ostensibly prevents multiple calls to fopen(). However, there is no guarantee that these would happen in distinct sequence points. Consequently this code also violates EXP30-C. Do not depend on order of evaluation between sequence points.
Compliant Solution: putc()
In the compliant solution, the stream argument to putc() no longer has side effects.
FILE *fptr = fopen(file_name, "w");
if (fptr == NULL) {
  /* Handle Error */
}
int c = 'a';
while (c <= 'z') {
  if (putc(c++, fptr) == EOF) {
    /* Handle Error */
  }
}
The c++ is perfectly safe, because putc() guarantees to evaluate its character argument exactly once.
This example only illustrates the side-effect issue. The output differs depending on the character set and one should not make assumptions about the order of the letters. For example, when run on a machine using an ASCII derived code set such as ISO-8859 or Unicode, this code sample will print out the 26 lower case letters of the English alphabet. However, if run with an EBCDIC based code set such as Codepage 037 or Codepage 285, punctuation marks marks or symbols might get printed out in between the letters.
Risk Assessment
Using an expression that has side effects as the stream argument to getc() or putc() can result in unexpected behavior and possibly abnormal program termination.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| FIO41-C | low | unlikely | medium | P2 | L3 | 
Automated Detection
The LDRA tool suite V 7.6.0 is able to detect violations of this rule.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 7.19.7.5, "The getc function," and Section 7.19.7.8, "The putc function"
FIO40-C. Reset strings on fgets() failure 09. Input Output (FIO) FIO42-C. Ensure files are properly closed when they are no longer needed