And in a safety environment, where MC/DC coverage is an important test parameter, single-path code makes a mockery of MC/DC metrics.

Saturation

Consider a simple function that relaces negative values with zero, cf. saturation.

1
2
3
4
5
6
7
8
int NoNegative1( int x )
{
    if( x < 0 )
    {
        x = 0;
    }
    return x;
}

There is a well-known, single-path implementation, where we take the 2s-complement sign bit and use that to create a mask. Rewriting NoNegative with this approach, we get the following.

1
2
3
4
5
int NoNegative2( int x )
{
    x &= ~( x >> 31 );
    return x;
}

In fact, this implementation is so well-known that a compiler will often recognize that these are equivalent and generate the same code for both implementations, see https://godbolt.org/z/MKG4de3j6.