CertC++-EXP52¶
Do not rely on side effects in unevaluated operands
Required inputs: IR
Some expressions involve operands that are unevaluated. The C++ Standard, [expr], paragraph 8 [ ISO/IEC 14882-2014] states the following:
In some contexts, unevaluated operands appear. An unevaluated operand is not evaluated. An unevaluated operand is considered a full-expression. [Note: In an unevaluated operand, a non-static class member may be named (5.1) and naming of objects or functions does not, by itself, require that a definition be provided. - end note]
The following expressions do not evaluate
their operands:
sizeof(),
typeid(),
noexcept(),
decltype(), and
declval().
Because an unevaluated operand in an expression is not evaluated, no side effects from that operand are triggered. Reliance on those side effects will result in unexpected behavior. Do not rely on side effects in unevaluated operands.
Unevaluated expression operands are used when the declaration of an object is
required but the definition of the object is not. For instance, in the
following example, the function
f() is overloaded, relying on the unevaluated expression operand
to select the desired overload, which is then used to determine the result of
the
sizeof() expression.
int f(int); double f(double); size_t size = sizeof(f(0));
Such a use does not rely on the side effects of
f() and consequently conforms to this guideline.
Noncompliant Code Example (
sizeof)
In this noncompliant code example, the expression
a++ is not evaluated.
#include <iostream>
void f() {
int a = 14;
int b = sizeof(a++);
std::cout << a << ", " << b << std::endl;
}
Consequently, the value of
a after
b has been initialized is 14.
Compliant Solution (
sizeof)
In this compliant solution, the variable
a is incremented outside of the
sizeof operator.
#include <iostream>
void f() {
int a = 14;
int b = sizeof(a);
++a;
std::cout << a << ", " << b << std::endl;
}
Noncompliant Code Example (
decltype)
In this noncompliant code example, the expression
i++ is not evaluated within the
decltype specifier.
#include <iostream>
void f() {
int i = 0;
decltype(i++) h = 12;
std::cout << i;
}
Consequently, the value of i remains 0.
Compliant Solution (
decltype)
In this compliant solution,
i is incremented outside of the
decltype specifier so that it is evaluated as desired.
#include <iostream>
void f() {
int i = 0;
decltype(i) h = 12;
++i;
std::cout << i;
}
Exceptions
EXP52-CPP-EX1: It is permissible for an expression with side effects to be used as an unevaluated operand in a macro definition or SFINAE context. Although these situations rely on the side effects to produce valid code, they typically do not rely on values produced as a result of the side effects.
The following code is an example of compliant code using an unevaluated operand in a macro definition.
void small(int x);
void large(long long x);
#define m(x) \
do { \
if (sizeof(x) == sizeof(int)) { \
small(x); \
} else if (sizeof(x) == sizeof(long long)) { \
large(x); \
} \
} while (0)
void f() {
int i = 0;
m(++i);
}
The expansion of the macro
m will result in the expression
++i being used as an unevaluated operand to
sizeof(). However, the expectation of the programmer at the
expansion loci is that
i is preincremented only once. Consequently, this is a safe macro
and complies with
PRE31-C.
Avoid side effects in arguments to unsafe macros. Compliance with that rule
is especially important for code that follows this exception.
The following code is an example of compliant code using an unevaluated operand in a SFINAE context to determine whether a type can be postfix incremented.
#include <iostream>
#include <type_traits>
#include <utility>
template <typename T>
class is_incrementable {
typedef char one[1];
typedef char two[2];
static one &is_incrementable_helper(decltype(std::declval<typename std::remove_cv<T>::type&>()++) *p);
static two &is_incrementable_helper(...);
public:
static const bool value = sizeof(is_incrementable_helper(nullptr)) == sizeof(one);
};
void f() {
std::cout << std::boolalpha << is_incrementable<int>::value;
}
In an instantiation of
is_incrementable, the use of the postfix increment operator
generates side effects that are used to determine whether the type is postfix
incrementable. However, the value result of these side effects is discarded, so
the side effects are used only for SFINAE.
Risk Assessment
If expressions that appear to produce side effects are an unevaluated operand, the results may be different than expected. Depending on how this result is used, it can lead to unintended program behavior.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| EXP52-CPP | Low | Unlikely | Low | P3 | L3 |
Related Guidelines
| SEI CERT C Coding Standard | EXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _Generic |
Bibliography
| [ ISO/IEC 14882-2014] | Clause 5, "Expressions" Subclause 20.2.5, "Function Template declval"
|
Possible Messages
Key |
Text |
Severity |
Disabled |
|---|---|---|---|
side_effect_in_unevaluated |
Operand of “{expr}” shall not contain side effects |
None |
False |
Options¶
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
allow_in_macro_definition¶
allow_in_macro_definition : bool = True
allow_in_sfinae¶
allow_in_sfinae : bool = True
expressions_to_check¶
expressions_to_check
Mapping of physical expression classes to tuples of (field_name, expr_name) to check.Type: dict[bauhaus.ir.PIR_Class_Name, typing.Tuple[str, str]]
Default:
{ 'Decltype_Selection': ('Operand', 'decltype'), 'Noexcept_Operator': ('Operand', 'noexcept'), 'Sizeof_Operator': ('Operand', 'sizeof'), 'Typeid_Operator': ('Operand', 'typeid') }