Code that is executed but does not perform any action, or has an unintended effect, most likely results from a coding error and can result in unexpected behavior. Statements or expressions that have no effect should be identified and removed from code.
Non-Compliant Code Example (assignment)
In this example, the comparison of a
to b
has no effect.
int a; int b; /* ... */ a == b;
This is likely a case of the programmer mistakenly using the equals operator ==
instead of the assignment operator =
.
Compliant Solution (assignment)
The assignment of b
to a
is now properly performed.
int a; int b; /* ... */ a = b;
Non-Compliant Code Example (dereference)
In this example, p
is incremented and then dereferenced. However, *p
has no effect.
int *p; /* ... */ *p++;
Compliant Solution (dereference)
Correcting this example depends on the intent of the programmer. For instance, if dereferencing p
was a mistake, then p
should not be dereferenced.
int *p; /* ... */ p++;
If the intent was to increment the value referred to by p
, then parentheses can be used to ensure p
is dereferenced then incremented [[EXP00-A. Use parentheses for precedence of operation]].
int *p; /* ... */ (*p)++
Compliant Solution (memory mapped devices)
Another possibility is that p
is being using to reference a memory-mapped device. In this case, the variable p
should be declared as volatile
.
volatile int *p; /* ... */ (void) *p++;
Risk Assessment
The presence of code that has no effect could indicate logic errors that may result in unexpected behavior and vulnerabilities.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
MSC12-A |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
Automated Detection
The LDRA tool suite V 7.6.0 is able to detect violations of this recommendation.
The Coverity Prevent NO_EFFECT checker finds statements or expressions that do not accomplish anything, or statements that perform an unintended action.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Coverity 07]] Coverity Prevent User's Manual (3.3.0) (2007).
[[ISO/IEC PDTR 24772]] "BRS Leveraging human experience," "BVQ Unspecified Functionality," "KOA Likely incorrect expressions," and "XYQ Dead and Deactivated Code"
[[MISRA 04]] Rule 14.1 and Rule 14.2
MSC11-A. Incorporate diagnostic tests using assertions 14. Miscellaneous (MSC) MSC13-A. Detect and remove unused values