如果表达式为布尔类型，则使用Misra-C 2012规则10.1布尔操作数

Question

The following lines generate misra violations.

unsigned int u16_a;
unsigned char u8_b;  
if (u16_a && u8_b) // Generates Misra-C 10.1 violation. 
(u16_a) ? 2 : 1 //Generates Misra-C 10.1 violation.

The violation says the operand is of essential signed type but should be of boolean type.

For the 1st violation, If I type cast them to _Bool type, will it not result in overflow since I remember size of bool datatype is 1 byte.

For the 2nd violation tried this:

(u16_a == 0)? 1 :2 // does this work

I'm pretty new in dealing MISRA violations and confused with most of the violations. Thanks, in advance.

Answer 1

Basically, MISRA-C wants us to treat logical/relational operators as if they returned a bool type (like in C++) and generally "pretend" that C has a distinct bool type that is separate from integers. This gives increased type safety when you use static analysis tools.

Which means that you have to be explicit with checks against zero:

if ( (u16_a!=0u) && (u8_b!=0u) )

and

(u16_a!=0) ? 2u : 1u

Or preferably something more readable:

bool b_a = u16_a!=0u;
bool b_b = u8_b!=0u;

if(b_a && b_b) // MISRA compliant, operands are essentially boolean types

Answer 2

Use if ( (u16_a !=0u) && (u8_b != 0u) ) instead of if (u16_a && u8_b) for the first example.

For the latter: (u16_a == 0)? 1 :2 (u16_a == 0)? 1 :2 seems to be ok to me.

Bottom line is that the whole point of this MISRA requirement is: "specify explicitly when comparing against a value, instead of relying on the defaults".

Answer 3

The C standard says:

6.3.1.2 Boolean type

1 When any scalar value is converted to _Bool, the result is 0 if the value compares equal to 0; otherwise, the result is 1.

So casting to _Bool does the right thing. (x != 0) may be more readable than ((_Bool)x) though.