Programmers frequently make errors regarding the precedence of operators due to the unintuitive low-precedence levels of {{&}}, {{\|}}, {{\^}}, {{<<}}, and {{>>}}. Avoid mistakes regarding precedence through the suitable use of parentheses; this also improves code readability, unless taken to excess. The precedence of operations by the order of the subclauses are defined in the Java Tutorials \[[Tutorials 2008|AA. Bibliography#Tutorials 08]\]. |
Although the guideline EXP09-J. Do not depend on operator precedence while using expressions containing side-effects advises against depending on parentheses for specifying evaluation order, it applies only to expressions that contain side-effects.
The intent of the expression in this noncompliant code example is to add the variable OFFSET to the result of the bitwise AND between x and MASK.
public static final int MASK = 1337;
public static final int OFFSET = -1337;
public static int computeCode(int x) {
return x & MASK + OFFSET;
}
|
According to the operator precedence guidelines, the expression is parsed as the following:
x & (MASK + OFFSET) |
This expression gets evaluated, as shown below, resulting in the value 0.
x & (1337 - 1337) |
This compliant solution uses parentheses to ensure that the expression evaluates as intended.
public static final int MASK = 1337;
public static final int OFFSET = -1337;
public static int computeCode(int x) {
return (x & MASK) + OFFSET;
}
|
EXP00-EX1: Parentheses may be omitted from mathematical expressions that follow algebraic order. For instance, consider the expression:
x + y * z |
By mathematical convention, multiplication is performed before addition; parentheses are redundant in this case.
x + (y * z) |
Mistakes regarding precedence guidelines can cause an expression to be evaluated in an unintended way. This can lead to unexpected and abnormal program behavior.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
EXP06-J |
low |
probable |
medium |
P4 |
L3 |
Detection of all expressions using low-precedence operators without parentheses is straightforward. Determining the correctness of such uses is infeasible in the general case; heuristic warnings could be useful.
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
C Coding Standard: EXP00-C. Use parentheses for precedence of operation
C++ Secure Coding Standard: EXP00-CPP. Use parentheses for precedence of operation
\[[ESA 2005|AA. Bibliography#ESA 05]\] Rule 65: Use parentheses to explicitly indicate the order of execution of numerical operators \[[Tutorials 2008|AA. Bibliography#Tutorials 08]\] [Expressions, Statements, and Blocks|http://java.sun.com/docs/books/tutorial/java/nutsandbolts/expressions.html], [Operators|http://java.sun.com/docs/books/tutorial/java/nutsandbolts/operators.html] |
EXP05-J. Be aware of integer promotions in binary operators 04. Expressions (EXP) EXP07-J. Be aware of the short-circuit behavior of the conditional AND and OR operators