Evaluation of an expression may produce side effects. At specific points during execution, known as sequence points, all side effects of previous evaluations have completed, and no side effects of subsequent evaluations have yet taken place.
The C standard, Section 6.5 [ISO/IEC 9899:2011], states:
If a side effect on a scalar object is unsequenced relative to either a different side effect on the same scalar object or a value computation using the value of the same scalar object, the behavior is undefined. If there are multiple allowable orderings of the subexpressions of an expression, the behavior is undefined if such an unsequenced side effect occurs in any of the orderings.
(See also undefined behavior 35 of Annex J.)
This requirement must be met for each allowable ordering of the subexpressions of a full expression; otherwise, the behavior is undefined.
The following sequence points are defined in Annex C of the C standard [ISO/IEC 9899:2011]:
- Between the evaluations of the function designator and actual arguments in a function call and the actual call.
- Between the evaluations of the first and second operands of the following operators:
- logical AND:
&& - logical OR:
|| - comma:
,
- Between the evaluations of the first operand of the conditional
?: operator and whichever of the second and third operands is evaluated. - The end of a full declarator.
- Between the evaluation of a full expression and the next full expression to be evaluated. The following are full expressions:
- an initializer that is not part of a compound literal
- the expression in an expression statement
- the controlling expression of a selection statement (
if or switch) - the controlling expression of a
while or do statement - each of the (optional) expressions of a
for statement - the (optional) expression in a
return statement
- Immediately before a library function returns.
- After the actions associated with each formatted input/output function conversion specifier.
- Immediately before and immediately after each call to a comparison function, and also between any call to a comparison function and any movement of the objects passed as arguments to that call.
Note that not all instances of a comma in C code denote a usage of the comma operator. For example, the comma between arguments in a function call is not a sequence point.
This rule means that statements such as
have well-defined behavior, and statements like
/* i is modified twice between sequence points */
i = ++i + 1;
/* i is read other than to determine the value to be stored */
a[i++] = i;
|
do not.
Noncompliant Code Example
Programs cannot safely rely on the order of evaluation of operands between sequence points. In this noncompliant code example, the order of evaluation of the operands to the + operator is unspecified.
If i was equal to 0 before the statement, the statement may result in the following outcome:
Or it may result in the following outcome:
Compliant Solution
These examples are independent of the order of evaluation of the operands and can be interpreted in only one way.
Or alternatively:
Noncompliant Code Example
The order of evaluation for function arguments is unspecified.
The call to func() has undefined behavior because there are no sequence points between the argument expressions. The first (left) argument expression reads the value of i (to determine the value to be stored) and then modifies i. The second (right) argument expression reads the value of i between the same pair of sequence points as the first argument, but not to determine the value to be stored in i. This additional attempt to read the value of i has undefined behavior.
Compliant Solution
This solution is appropriate when the programmer intends for both arguments to func() to be equivalent.
This solution is appropriate when the programmer intends for the second argument to be one greater than the first.
Risk Assessment
Attempting to modify an object multiple times between sequence points may cause that object to take on an unexpected value. This can lead to unexpected program behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|
EXP30-C | medium | probable | medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|
Splint |  | | |
GCC |  | | Can detect violations of this rule when the -Wsequence-point flag is used. |
Compass/ROSE | | | Can detect simple violations of this rule. It needs to examine each expression and make sure that no variable is modified twice in the expression. It also must check that no variable is modified once, then read elsewhere, with the single exception that a variable may appear on both the left and right of an assignment operator. |
Coverity Prevent |  | EVALUATION_ORDER | Can detect the specific instance where a statement contains multiple side effects on the same value with an undefined evaluation order because, with different compiler flags or different compilers or platforms, the statement may behave differently. |
LDRA tool suite |  | 35 D
1 Q
9 S
30 S
134 S | Fully implemented. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: EXP30-CPP. Do not depend on order of evaluation between sequence points
The CERT Oracle Secure Coding Standard for Java: EXP05-J. Do not write more than once to the same variable within an expression
ISO/IEC 9899:2011] Section 5.1.2.3, "Program execution," Section 6.5, "Expressions," and Annex C, "Sequence points"
ISO/IEC TR 24772 "JCW Operator precedence/order of evaluation" and "SAM Side-effects and order of evaluation"
MISRA Rule 12.1
Bibliography
[Summit 2005] Questions 3.1, 3.2, 3.3, 3.3b, 3.7, 3.8, 3.9, 3.10a, 3.10b, and 3.11
[Saks 2007]
