C programmers commonly make errors regarding the precedence rules of C operators because of the unintuitive low-precedence levels of &, |, ^, <<, and >>. Mistakes regarding precedence rules can be avoided by the suitable use of parentheses. Using parentheses defensively reduces errors and, if not taken to excess, makes the code more readable.

Subclause 6.5 of the C Standard defines the precedence of operation by the order of the subclauses.

Noncompliant Code Example

The intent of the expression in this noncompliant code example is to test the least significant bit of x:

x & 1 == 0

Because of operator precedence rules, the expression is parsed as

x & (1 == 0)

which evaluates to

(x & 0)

and then to 0.

Compliant Solution

In this compliant solution, parentheses are used to ensure the expression evaluates as expected:

(x & 1) == 0

Exceptions

EXP00-C-EX1: Mathematical expressions that follow algebraic order do not require parentheses. For instance, in the expression

x + y * z

the multiplication is performed before the addition by mathematical convention. Consequently, parentheses to enforce the algebraic order would be redundant:

x + (y * z)

Risk Assessment

Mistakes regarding precedence rules may cause an expression to be evaluated in an unintended way, which can lead to unexpected and abnormal program behavior.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

EXP00-C

Low

Probable

Medium

P4

L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

CertC-EXP00Fully implemented
CodeSonar

LANG.STRUCT.PARENS

Missing Parentheses

ECLAIR

CC2.EXP00

Fully implemented

Klocwork
MISRA.EXPR.PARENS.2012
LDRA tool suite

361 S, 49 S

Fully implemented

Parasoft C/C++test

CERT_C-EXP00-a

Use parenthesis to clarify expression order if operators with precedence lower than arithmetic are used

Polyspace Bug Finder

CERT C: Rec. EXP00-C


Checks for possible unintended evaluation of expression because of operator precedence rules (rec. fully covered)

PRQA QA-C

3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400

Fully implemented
PVS-Studio

V502, V593, V634, V648
SonarQube C/C++ Plugin
S864

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++ Coding StandardVOID EXP00-CPP. Use parentheses for precedence of operation
ISO/IEC TR 24772:2013Operator Precedence/Order of Evaluation [JCW]
MISRA C:2012Rule 12.1 (advisory)

Bibliography

[Dowd 2006]Chapter 6, "C Language Issues" ("Precedence," pp. 287–288)
[Kernighan 1988]
[NASA-GB-1740.13]Section 6.4.3, "C Language"