Rule 0-1-6 and Boolean variables

Moderators: david ward, misra cpp

Post Reply
LordMordac
Posts: 8
Joined: Tue Jan 14, 2020 8:05 pm
Company: nvidia

Rule 0-1-6 and Boolean variables

Post by LordMordac » Wed Nov 18, 2020 9:50 pm

Rule 0-1-6 seems to be counter productive with Boolean variables. DU dataflow anomalies are normal and desirable with Boolean variables. For example:

Code: Select all

extern bool random_bool ();

bool non_compliant_and (void)
{
    bool const b1 = random_bool();
    bool const b2 = random_bool();

    return b1 && b2;   // b2 is DU dataflow anomaly when b1 is false
}

bool non_compliant_or (void)
{
    bool const b1 = random_bool();
    bool const b2 = random_bool();

    return b1 || b2;   // b2 is DU dataflow anomaly when b1 is true
}

bool compliant_and (void)
{
    bool const b1 = random_bool();
    bool const b2 = random_bool();

    bool tmp = b1;
    tmp = b2 && b1;

    return tmp;
}

bool compliant_or (void)
{
    bool const b1 = random_bool();
    bool const b2 = random_bool();

    bool tmp = b1;
    tmp = b2 || b1;

    return tmp;
}

The compliant and non-compliant code result in different binaries. Both seem equally safe, but the compliant solution is less efficient. Which seems at odds with the statement in MISRA spec claims
At best this (DU dataflow anomaly) is inefficient, but may indicate a genuine problem.
Is there any insight anyone can provide on such a perplexing problem?

dg1980
Posts: 117
Joined: Wed Apr 27, 2016 2:33 pm
Company: Elektrobit Automotive GmbH

Re: Rule 0-1-6 and Boolean variables

Post by dg1980 » Thu Nov 19, 2020 6:47 pm

Ehm, did you accidentally switch the compliant function body with the non-compliant one?
compliant_and + compliant or violate 0-1-6 as well as 0-1-9.

LordMordac
Posts: 8
Joined: Tue Jan 14, 2020 8:05 pm
Company: nvidia

Re: Rule 0-1-6 and Boolean variables

Post by LordMordac » Thu Nov 19, 2020 9:24 pm

Unfortunately the function bodies are not switched.

Code: Select all

bool non_compliant_and (void)
{
    bool const b1 = random_bool();  // Assume this value is false.
    bool const b2 = random_bool();  // This can be any value.

   /*  Due to short-circuit evaluation, the value of b2 is never evaluated (read).
    *  This causes a DU dataflow anomaly for b2, and hence the MISRA C++ Rule 0-1-6 violation.
    */
    return b1 && b2;   
}
The short-circuit evaluation is a required part of the language: C++ reference on logical operators

dg1980
Posts: 117
Joined: Wed Apr 27, 2016 2:33 pm
Company: Elektrobit Automotive GmbH

Re: Rule 0-1-6 and Boolean variables

Post by dg1980 » Fri Nov 20, 2020 7:25 am

I ran your example through https://gimpel.com/demo.html with settings "C++11, No standard library, MISRA C++ 2008" and non_compliant_and + non_compliant_or are in fact shown as compliant.
I also fail to see a violation of 0-1-6 there, unless function random_bool returns a fixed value.
On the other hand, compliant_and + compliant_or violate both 0-1-6 and 0-1-9 and I agree.

The only real problem with short circuit evaluation are constructs like this (violating rule 5-14-1):

Code: Select all

return b1 && random_bool();

LordMordac
Posts: 8
Joined: Tue Jan 14, 2020 8:05 pm
Company: nvidia

Re: Rule 0-1-6 and Boolean variables

Post by LordMordac » Fri Nov 20, 2020 10:44 pm

It does show up with the Coverity scanner from Synopsys, and I don't believe that it is a false positive either. I also believe Synopsys is interpreting the rule correctly here. Is this case a slight over sight of the MISRA committee? Am I wrong in my analysis? I don't have a problem with being wrong. I just want some feedback from the experts.

dg1980
Posts: 117
Joined: Wed Apr 27, 2016 2:33 pm
Company: Elektrobit Automotive GmbH

Re: Rule 0-1-6 and Boolean variables

Post by dg1980 » Sat Nov 21, 2020 8:37 am

If Coverity were right, you wouldn't be able to use operator && || etc. at all.
I am pretty sure this is not what MISRA had in mind.
But I am afraid we have to wait for an official reply.

misra cpp
Posts: 157
Joined: Mon Jun 02, 2008 1:55 pm
Company: MISRA

Re: Rule 0-1-6 and Boolean variables

Post by misra cpp » Wed Dec 02, 2020 3:25 pm

We don't see why any static analyser would report 'non_compliant_and' as non-compliant. If random_bool indeed generates a random boolean value, then you can't assume that its false, so both terms may be used in b1 && b2.

The DU anomaly should only be reported when code can never be used, like false && b2;

Similarly with 'non_compliant_or'
Posted by and on behalf of
the MISRA C++ Working Group

LordMordac
Posts: 8
Joined: Tue Jan 14, 2020 8:05 pm
Company: nvidia

Re: Rule 0-1-6 and Boolean variables

Post by LordMordac » Wed Dec 02, 2020 3:59 pm

Thank you. That is very helpful information. I will pass this information on to the Coverity folks.

LordMordac
Posts: 8
Joined: Tue Jan 14, 2020 8:05 pm
Company: nvidia

Re: Rule 0-1-6 and Boolean variables

Post by LordMordac » Wed Dec 02, 2020 9:36 pm

This clarification of the rule seems to be contrary to the first example provided in spec.

Code: Select all

int16_t critical (int16_t i, int16_t j)
{
    int16_t result = 0;
    int16_t k = ( 3 * i ) + ( j * j );
    
    // should k be checked here?
    if ( f2() )
    {
        // k will only be tested here if f2 returns true
        // Initialization of k could be moved here
        if ( k > 0 )
        {
            throw(42);
        }
    }
    // Non-compliant- value of k not used if f2 () returns false
    return result;
} 
Is this also compliant because there is a path through the code where k is read?

chgros
Posts: 3
Joined: Wed Jan 22, 2020 11:13 pm
Company: Synopsys Inc.

Re: Rule 0-1-6 and Boolean variables

Post by chgros » Wed Dec 02, 2020 10:02 pm

I'm interested in a ruling too, as maintainer of the Coverity static analyzer. We based our analysis on the examples, which as mentioned seem to imply the code mentioned in this discussion is non-compliant.
I've always found rule 0-1-6 to be both confusing (with the title mentioning "never" but the example implying "not always", and a "DU anomaly" being mentioned but never defined. Searches for DU anomaly tend to reference cases of a use of an undefined value rather than non-use of a defined value) and counterproductive (as fixing any error tends to make the code signficantly more complex), but tried to do my best to enforce it as written.

LordMordac
Posts: 8
Joined: Tue Jan 14, 2020 8:05 pm
Company: nvidia

Re: Rule 0-1-6 and Boolean variables

Post by LordMordac » Fri Jan 08, 2021 4:57 pm

I am not sure how to resolve the the conflicting information.
misra cpp wrote:
Wed Dec 02, 2020 3:25 pm
The DU anomaly should only be reported when code can never be used, like false && b2;
This information seems to conflict with the first example in the spec. I am not "trolling" the forum, I simply wish to understand the rule. For safety reasons I need to resolve the ambiguity.

misra cpp
Posts: 157
Joined: Mon Jun 02, 2008 1:55 pm
Company: MISRA

Re: Rule 0-1-6 and Boolean variables

Post by misra cpp » Fri Jan 29, 2021 3:11 pm

The use of unqualified "never" in the headline is unfortunate.

The intent was that values given to a local variable should be used on all paths through a function on which the variable is accessible - as illustrated by the example.

This rule is under review for the next release
Posted by and on behalf of
the MISRA C++ Working Group

chgros
Posts: 3
Joined: Wed Jan 22, 2020 11:13 pm
Company: Synopsys Inc.

Re: Rule 0-1-6 and Boolean variables

Post by chgros » Mon Mar 22, 2021 11:26 pm

So, to make extra sure, does this mean that the non-compliant examples (non_compliant_and, etc.) at the origin of this discussion really are not compliant (contradicting the previous ruling, which itself seemed to contradict the examples)?

Post Reply

Return to “6.0 Language independent issues (C++)”