Possible invalid operation on boolean operand

Operation can exceed precision of Boolean operand or result in arbitrary value

expand all in page

Description

This defect occurs when you use a Boolean operand in an arithmetic, relational, or bitwise operation and:

  • The Boolean operand has a trap representation. The size of a Boolean type in memory is at least one addressable unit (size of char). A Boolean type requires only one bit to represent the value true (1) or false (0). The representation of a Boolean operand in memory contains padding bits. The memory representation can result in values that are not true or false, a trap representation.

  • The result of the operation can exceed the precision of the Boolean operand.

For example, in this code snippet:

bool_v >> 2

  • If the value of bool_v is true (1) or false (0), the bitwise shift exceeds the one-bit precision of bool_v and always results in 0.

  • If bool_v has a trap representation, the result of the operation is an arbitrary value.

Possible invalid operation on boolean operand raises no defect when:

  • The operation does not result in a precision overflow. For instance, bitwise & or | operations with 0x01 or 0x00.

  • The Boolean operand cannot have a trap representation. For instance, a constant expression that results in 0 or 1, or a comparison evaluated to true or false.

Risk

Arithmetic, relational, or bitwise operations on a Boolean operand can exceed the operand precision and cause unexpected results when used as a Boolean value. Operations on Boolean operands with trap representations can return arbitrary values.

Fix

Avoid performing operations on Boolean operands other than these operations:

  • Assignment operation (=).

  • Equality operations (== or !=).

  • Logical operations (&&, ||, or !).

Examples

expand all

#include <stdio.h>
#include <stdbool.h>

#define BOOL _Bool

int arr[2] = {1, 2};

int func(BOOL b)
{
    return arr[b];
}

int main(void)
{
    BOOL b;
    char* ptr = (char*)&b;
    *ptr = 64;
    return func(b);
}

In this example, Boolean operand b is used as an array index in func for an array with two elements. Depending on the compiler and optimization flags you use, the value b might not be 0 or 1. For instance, in Linux® Debian 8, if you use gcc version 4.9 with optimization flag -O0, the value of b is 64, which causes a buffer overflow.

Correction — Use Only Last Significant Bit Value of Boolean Operand

One possible correction is to use a variable b0 of type unsigned int to get only the value of the last significant bit of the Boolean operand. The value of this bit is in the range [0..1], even if the Boolean operand has a trap representation.

#include <stdio.h>
#include <stdbool.h>

#define BOOL _Bool

int arr[2] = {1, 2};

int func(BOOL b)
{
    unsigned int b0 = (unsigned int)b;
    b0 &= 0x1;
    return arr[b0];
}

int main(void)
{
    BOOL b;
    char* ptr = (char*)&b;
    *ptr = 64;
    return func(b);
}

Note that a trap representation is often the result of an earlier issue in the code, such as:

  • A non-initialized variable of bool type.

  • A side effect that modifies any part of a bool type object using a lvalue expression.

  • A read of a bool member from a union type with the last stored value of another type.

As such, it is best practice to respect boolean semantics even in C++ code.

#include <iostream>

template <typename T>
bool less_or_equal(const T& x, const T& y)
{
    std::cout << "INTEGER VERSION" << '\n';
    return x <= y;
}
bool b1 = true, b2 = false;
int i1 = 2, i2 = 3;

int main()
{
    std::cout << std::boolalpha;
    std::cout << "less_or_equal(" << b1 << ',' << b2 << ") = " << less_or_equal<bool>(b1, b2) << '\n';
    std::cout << "less_or_equal(" << i1 << ',' << i2 << ") = " << less_or_equal<int>(11, 12) << '\n';
    return 0;
}

In this example, function template less_or_equal evaluates whether variable x is less than or equal to y. When you pass boolean types to this function, the <= operation might result in an arbitrary value if the memory representation of the operands, including their padding bits, is neither 1 nor 0.

Correction — Specialize Function Template for Boolean Types

One possible correction is to specialize the function template for boolean types. The specialized function template uses a logical (||) operation to compare the boolean operands.

#include <iostream>

template <typename T>
bool less_or_equal(const T& x, const T& y)
{
    std::cout << "INTEGER VERSION" << '\n';
    return x <= y;
}

template<>
bool less_or_equal<bool>(const bool& x, const bool& y)
{
    std::cout << "BOOLEAN VERSION" << '\n';
    return !x || y;
}

bool b1 = true, b2 = false;
int i1 = 2, i2 = 3;

int main()
{
    std::cout << std::boolalpha;
    std::cout << "less_or_equal(" << b1 << ',' << b2 << ") = " << less_or_equal<bool>(b1, b2) << '\n';
    std::cout << "less_or_equal(" << i1 << ',' << i2 << ") = " << less_or_equal<int>(11, 12) << '\n';
    return 0;
}

Result Information

Group: Numerical
Language: C | C++
Default: Off
Command-Line Syntax: INVALID_OPERATION_ON_BOOLEAN
Impact: Low

Version History

Introduced in R2018b

See Also

| | | | | | | | | | | | |

Topics