Checks: Added new MISRA12_13.2: The value of an expression and its persistent side effects shall be the same under all permitted evaluation orders [autosync]

github-actions[bot] · github-actions[bot] · commit 05255d0a03c9 · 2026-05-21T20:11:53.000Z
diff --git a/CodeCheck/Published Standards/MISRA C 2012/MISRA12_13.2/test.c b/CodeCheck/Published Standards/MISRA C 2012/MISRA12_13.2/test.c
@@ -26,6 +26,8 @@ void modified_twice(void)
     int i = 0;
     int j = 0;
     int x = 0;
+    int a[10];
+    int b[10];
 
     j = i++ + i++;                        /* UndCC_Violation - i modified twice */
     j = ++i + i++;                        /* UndCC_Violation - i modified twice */
@@ -34,9 +36,13 @@ void modified_twice(void)
     x = x = 0;                            /* UndCC_Violation - x modified twice (Note 2) */
     i = ++i;                              /* UndCC_Violation - i modified twice */
 
+    a[i++] = b[i++];                      /* UndCC_Violation - i modified twice (MISRA standard example: COPY_ELEMENT(i++)) */
+
     use(i);
     use(j);
     use(x);
+    use(a[0]);
+    use(b[0]);
 }
 
 /* ===== Subrule 3: modified and read elsewhere ===== */
@@ -81,6 +87,7 @@ void isolated_inc_dec(void)
 {
     int x = 0;
     int *p = &x;
+    int *q = &x;
     int a[10];
     int i = 0;
 
@@ -93,10 +100,13 @@ void isolated_inc_dec(void)
     use(a[i++]);                          /* UndCC_Valid */
 
     (*p)++;                               /* UndCC_Valid - p not modified, *p is not a VarDecl mod */
-    *p++;                                 /* UndCC_Valid - p modified once via post-inc */
+    *p++;                                 /* UndCC_Valid - p's read contributes to its own value computation */
+
+    *p++ = *q++;                          /* UndCC_Valid - p and q each modified once, no other access */
 
     use(x);
     use(*p);
+    use(*q);
 }
 
 /* ===== Sequence points break unsequenced regions ===== */
@@ -188,3 +198,128 @@ void sizeof_unevaluated(void)
 
     use(j);
 }
+
+/* ===== Multiple reads of the same variable - no modification ===== */
+
+void multiple_reads(void)
+{
+    int i = 0;
+    int j = 0;
+
+    f(i, i);                              /* UndCC_Valid - i read twice, no mod */
+    j = i + i;                            /* UndCC_Valid - i read twice */
+    j = i * i + i;                        /* UndCC_Valid */
+
+    use(j);
+}
+
+/* ===== Adjacent statements are independent full expressions ===== */
+
+void adjacent_statements(void)
+{
+    int i = 0;
+    int j = 0;
+
+    i++; i++;                             /* UndCC_Valid - each is its own full expression */
+    j = i++; j = i++;                     /* UndCC_Valid */
+
+    use(i);
+    use(j);
+}
+
+/* ===== Comma operator separates same-variable modifications ===== */
+
+void comma_separates_mods(void)
+{
+    int i = 0;
+    int j = 0;
+
+    (void)(i++, i++);                     /* UndCC_Valid - comma is a sequence point */
+    j = (i++, i);                         /* UndCC_Valid - covered in sequence_points_split also */
+    (void)(i = 0, i = 1);                 /* UndCC_Valid - two assignments separated by comma */
+
+    use(i);
+    use(j);
+}
+
+/* ===== Multi-declarator initializers are independent full expressions ===== */
+
+void multi_declarator_inits(void)
+{
+    int i = 0;
+
+    /* Each declarator's initializer is a separate full expression. */
+    int x = i++, y = i++;                 /* UndCC_Valid - two separate full expressions */
+    int p = i, q = i;                     /* UndCC_Valid */
+
+    use(x);
+    use(y);
+    use(p);
+    use(q);
+}
+
+/* ===== Unbraced control-flow bodies are still full expressions ===== */
+
+void unbraced_bodies(int cond)
+{
+    int i = 0;
+    int j = 0;
+    int a[10];
+
+    if (cond) i = i++;                    /* UndCC_Violation - i modified twice */
+    if (cond) a[i] = i++;                 /* UndCC_Violation - i modified and read */
+    else      j = i++ + i++;              /* UndCC_Violation - i modified twice */
+
+    while (cond) a[i] = i++;              /* UndCC_Violation */
+
+    do j = i + i++; while (0);            /* UndCC_Violation - i modified and read */
+
+    for (int k = 0; k < 1; ++k) j = i++ * i;  /* UndCC_Violation - body */
+
+    /* Compliant unbraced bodies should still be quiet */
+    if (cond) i++;                        /* UndCC_Valid */
+    while (cond) i = i + 1;               /* UndCC_Valid */
+    for (int k = 0; k < 1; ++k) i = i + 1;    /* UndCC_Valid */
+
+    use(i);
+    use(j);
+    use(a[0]);
+}
+
+/* ===== Switch case bodies ===== */
+
+void switch_case_bodies(int x)
+{
+    int i = 0;
+    int j = 0;
+
+    switch (x) {
+        case 0:
+            j = i++ + i++;                /* UndCC_Violation - i modified twice */
+            break;
+        case 1:
+            i++;                          /* UndCC_Valid */
+            break;
+        default:
+            j = i++ * i;                  /* UndCC_Violation - i modified and read */
+            break;
+    }
+
+    use(i);
+    use(j);
+}
+
+/* ===== Labelled statements ===== */
+
+void labelled_statements(int cond)
+{
+    int i = 0;
+    int j = 0;
+
+    if (!cond) goto end;
+    j = i + i++;                          /* UndCC_Violation - i modified and read */
+
+end:
+    j = i++;                              /* UndCC_Valid - single modification */
+    use(j);
+}
diff --git a/CodeCheck/clang/checks.json b/CodeCheck/clang/checks.json
@@ -2706,6 +2706,37 @@
       ]
     }
   },
+  "CPP_E091": {
+    "tags": ["Language: C", "Expressions"],
+    "key": "sti.SequencePointSideEffects",
+    "test": "MISRA12_13.2",
+    "name": "All Checks/Language Specific/C and C++/Expressions/The value of an expression and its persistent side effects shall be the same under all permitted evaluation orders",
+    "desc": {
+      "html": [
+        "<p><b>Rationale</b></p>",
+        "<p>The C Standard gives compilers considerable flexibility when evaluating expressions. Most operators may have their operands evaluated in any order; only <code>&amp;&amp;</code>, <code>||</code>, <code>?:</code>, and <code>,</code> introduce sequence points between operands. An object that is modified more than once between adjacent sequence points, or modified and read where the read does not contribute to computing the new value, has unspecified or undefined behaviour.</p>",
+        "<p><b>Scope</b></p>",
+        "<p>Each full expression (statement-level expression, condition, initializer, return value) is analysed and split on sequence-point operators into independent sub-regions. Within each region, plain variable accesses are classified as modifications (assignment LHS, compound-assignment LHS, <code>++</code> / <code>--</code> operand) or reads.</p>",
+        "<p><b>Implementation</b></p>",
+        "<p>A variable is flagged when:</p>",
+        "<ul>",
+        "  <li>It is modified more than once in a region &mdash; e.g. <code>i++ + i++</code>, <code>x = x = 0</code>.</li>",
+        "  <li>It is modified once and also read where the read is not part of computing the new value &mdash; e.g. <code>a[i] = i++</code>, <code>f(i, i++)</code>.</li>",
+        "</ul>",
+        "<p>Reads inside the right-hand side of an assignment or compound assignment to the same variable (e.g. <code>x = x + 1</code>, <code>x += y</code>) contribute to the value and are not flagged. <i>volatile</i> and atomic constraints (MISRA subrules 4&ndash;6) and indirect access via pointers or function calls are not analysed; modifications targeting non-variable expressions (members, array elements, dereferences) are not tracked.</p>",
+        "<p><b>Example</b></p>",
+        "<pre><code language=\"C\">i = i++;            /* Non-compliant - i modified twice */",
+        "x = x = 0;          /* Non-compliant - x modified twice */",
+        "a[i] = i++;         /* Non-compliant - i modified and read */",
+        "f(i, i++);          /* Non-compliant - i modified and read */",
+        "",
+        "x = x + 1;          /* Compliant - read of x contributes to new value */",
+        "x += y;             /* Compliant */",
+        "x++;                /* Compliant */",
+        "if (a &amp;&amp; b++) {}    /* Compliant - &amp;&amp; is a sequence point */</code></pre>"
+      ]
+    }
+  },
   "CPP_F071": {
     "tags": ["Language: C++", "Functions"],
     "key": "sti.SpecialMemberFunctions",
diff --git a/CodeCheck/clang/misra.json b/CodeCheck/clang/misra.json
@@ -4031,5 +4031,108 @@
         "<p>Rule 2.1, Rule 14.2</p>"
       ]
     }
+  },
+
+  "MISRA12_13.2": {
+    "tags": ["Language: C", "Standard: MISRA C 2012", "Category: Required", "Expressions"],
+    "key": "sti.SequencePointSideEffects",
+    "test": "MISRA12_13.2",
+    "name": "Published Standards/MISRA C 2012/13.2 The value of an expression and its persistent side effects shall be the same under all permitted evaluation orders",
+    "desc": {
+      "html": [
+        "<p><b>Amplification</b></p>",
+        "<p>Between any two adjacent sequence points:</p>",
+        "<ol>",
+        "  <li>No object shall be modified more than once;</li>",
+        "  <li>All parts of the expression are considered when determining whether an object is read or modified, irrespective of any known values.</li>",
+        "  <li>No object shall be both modified and read unless any such read of the object's value contributes towards computing the value to be stored into the object;</li>",
+        "  <li>There shall be no more than one modification access with <i>volatile</i>-qualified or atomic type;</li>",
+        "  <li>There shall be no more than one read access with <i>volatile</i>-qualified type;</li>",
+        "  <li>There shall be no more than one read access to an object with atomic type.</li>",
+        "</ol>",
+        "<p><i>Note 1:</i> An object might be accessed indirectly, by means of a pointer or a called function, as well as being accessed directly by the expression.</p>",
+        "<p><i>Note 2:</i> This Amplification is intentionally stricter than the headline of the rule. As a result, expressions such as <code>x = x = 0;</code> are not permitted by this rule even though the value and the <i>persistent side effects</i>, provided that x is not <i>volatile</i>, are independent of the order of evaluation or <i>side effects</i>.</p>",
+        "<p><b>Rationale</b></p>",
+        "<p>The C Standard gives considerable flexibility to compilers when evaluating expressions. Most operators can have their operands evaluated in any order. The main exceptions are the logical AND, logical OR, conditional and comma operators, which act as sequence points between their operands.</p>",
+        "<p>Many of the common instances of unpredictable behaviour, associated with expression evaluation, can be avoided by following the advice given by this rule. However, in order to simplify this rule, it does restrict some forms which are well-defined.</p>",
+        "<p><b>Example</b></p>",
+        "<p>When the <code>COPY_ELEMENT</code> macro is invoked in this non-compliant example, <code>i</code> is read twice and modified twice. It is unspecified whether the order of operations on <code>i</code> is read-modify-read-modify or read-read-modify-modify.</p>",
+        "<pre><code language=\"C\">#define COPY_ELEMENT( index ) ( a[( index )] = b[( index )] )",
+        "",
+        "COPY_ELEMENT ( i++ );</code></pre>",
+        "<p>The order of evaluation of function arguments is unspecified, as is the order in which <i>side effects</i> occur, as shown in this non-compliant example.</p>",
+        "<pre><code language=\"C\">uint16_t i = 0;",
+        "",
+        "/*",
+        " * Unspecified whether this call is equivalent to:",
+        " *      f ( 0, 0 )",
+        " * or   f ( 0, 1 )",
+        " */",
+        "f ( i++, i );</code></pre>",
+        "<p><b>Implementation</b></p>",
+        "<p>This is a conservative implementation of MISRA's \"Undecidable, System\" rule. It analyses each full expression and splits it on sequence-point operators (<code>&amp;&amp;</code>, <code>||</code>, <code>?:</code>, <code>,</code>) into independent sub-regions. Within each region, plain variable accesses are classified as modifications (assignment LHS, compound-assignment LHS, <code>++</code> / <code>--</code> operand) or reads. A variable is flagged when:</p>",
+        "<ul>",
+        "  <li>It is modified more than once (subrule 1) &mdash; e.g. <code>i++ + i++</code>, <code>x = x = 0</code>.</li>",
+        "  <li>It is modified once and also read where the read is not part of computing the new value (subrule 3) &mdash; e.g. <code>a[i] = i++</code>, <code>f(i, i++)</code>.</li>",
+        "</ul>",
+        "<p>Subrules 4&ndash;6 (additional <i>volatile</i> and atomic constraints) and indirect access via pointers or function calls (Note 1) are not analysed. Modifications targeting expressions that are not plain variable references (members, array elements, dereferences) are not tracked.</p>",
+        "<p><b>See also</b></p>",
+        "<p>Dir 4.9, Rule 13.1, Rule 13.3, Rule 13.4</p>"
+      ]
+    }
+  },
+
+  "MISRA23_13.2": {
+    "tags": ["Language: C", "Standard: MISRA C 2023", "Category: Required", "Expressions"],
+    "key": "sti.SequencePointSideEffects",
+    "test": "MISRA12_13.2",
+    "name": "Published Standards/MISRA C 2023/13.2 The value of an expression and its persistent side effects shall be the same under all permitted evaluation orders",
+    "desc": {
+      "html": [
+        "<p><b>Amplification</b></p>",
+        "<p>Between any two adjacent sequence points:</p>",
+        "<ol>",
+        "  <li>No object shall be modified more than once;</li>",
+        "  <li>All parts of the expression are considered when determining whether an object is read or modified, irrespective of any known values.</li>",
+        "  <li>No object shall be both modified and read unless any such read of the object's value contributes towards computing the value to be stored into the object;</li>",
+        "  <li>There shall be no more than one modification access with <i>volatile</i>-qualified or atomic type;</li>",
+        "  <li>There shall be no more than one read access with <i>volatile</i>-qualified type;</li>",
+        "  <li>There shall be no more than one read access to an object with atomic type.</li>",
+        "</ol>",
+        "<p><i>Note 1:</i> An object might be accessed indirectly, by means of a pointer or a called function, as well as being accessed directly by the expression.</p>",
+        "<p><i>Note 2:</i> This Amplification is intentionally stricter than the headline of the rule. As a result, expressions such as <code>x = x = 0;</code> are not permitted by this rule even though the value and the <i>persistent side effects</i>, provided that x is not <i>volatile</i>, are independent of the order of evaluation or <i>side effects</i>.</p>",
+        "<p><b>Implementation</b></p>",
+        "<p>Conservative subset: see MISRA C 2012 Rule 13.2 entry for details.</p>",
+        "<p><b>See also</b></p>",
+        "<p>Dir 4.9, Rule 13.1, Rule 13.3, Rule 13.4</p>"
+      ]
+    }
+  },
+
+  "MISRA25_13.2": {
+    "tags": ["Language: C", "Standard: MISRA C 2025", "Category: Required", "Expressions"],
+    "key": "sti.SequencePointSideEffects",
+    "test": "MISRA12_13.2",
+    "name": "Published Standards/MISRA C 2025/13.2 The value of an expression and its persistent side effects shall be the same under all permitted evaluation orders and shall be independent from thread interleaving",
+    "desc": {
+      "html": [
+        "<p><b>Amplification</b></p>",
+        "<p>Between any two adjacent sequence points:</p>",
+        "<ol>",
+        "  <li>No object shall be modified more than once;</li>",
+        "  <li>All parts of the expression are considered when determining whether an object is read or modified, irrespective of any known values.</li>",
+        "  <li>No object shall be both modified and read unless any such read of the object's value contributes towards computing the value to be stored into the object;</li>",
+        "  <li>There shall be no more than one modification access with <i>volatile</i>-qualified or atomic type;</li>",
+        "  <li>There shall be no more than one read access with <i>volatile</i>-qualified type;</li>",
+        "  <li>There shall be no more than one read access to an object with atomic type.</li>",
+        "</ol>",
+        "<p><i>Note 1:</i> An object might be accessed indirectly, by means of a pointer or a called function, as well as being accessed directly by the expression.</p>",
+        "<p><i>Note 2:</i> This Amplification is intentionally stricter than the headline of the rule. As a result, expressions such as <code>x = x = 0;</code> are not permitted by this rule even though the value and the <i>persistent side effects</i>, provided that x is not <i>volatile</i>, are independent of the order of evaluation or <i>side effects</i>.</p>",
+        "<p><b>Implementation</b></p>",
+        "<p>Conservative subset: see MISRA C 2012 Rule 13.2 entry for details. The thread-interleaving aspect of the 2025 rule (subrules 4&ndash;6 covering volatile and atomic types) is not analysed.</p>",
+        "<p><b>See also</b></p>",
+        "<p>Dir 4.9, Rule 13.1, Rule 13.3, Rule 13.4</p>"
+      ]
+    }
   }
 }
diff --git a/CodeCheck/noop/misra.json b/CodeCheck/noop/misra.json
