3. Control Statements: Part I

During the 1960s, it became clear that the indiscriminate use of transfers of control was the root of a great deal of difficulty experienced by software development groups. The finger of blame was pointed at the goto statement that allows you to specify a transfer of control to one of many possible destinations in a program. The notion of so-called structured programming became almost synonymous with “goto elimination.”

The research of Bohm and Jacopini¹ had demonstrated that programs could be written without any goto statements. The challenge of the era was for programmers to shift their styles to “goto-less programming.” It was not until well into the 1970s that the programming profession started taking structured programming seriously. The results were impressive, as software development groups reported reduced development times, more frequent on-time delivery of systems and more frequent within-budget completion of software projects. Programs produced with structured techniques were clearer, easier to debug and modify and more likely to be bug free in the first place.

1. C. Bohm and G. Jacopini, “Flow Diagrams, Turing Machines, and Languages with Only Two Formation Rules,” Communications of the ACM, Vol. 9, No. 5, May 1966, pp. 336–371.

Bohm and Jacopini’s work demonstrated that all programs could be written in terms of only three control structures, namely the sequence structure, the selection structure and the repetition structure. The sequence structure is simple—unless directed otherwise, the computer executes C statements one after the other in the order in which they’re written.

The flowchart segment of Fig. 3.1 illustrates C’s sequence structure. We use the rectangle symbol, also called the action symbol, to indicate any type of action including a calculation or an input/output operation. The flowlines in the figure indicate the order in which the actions are performed—first, grade is added to total, then 1 is added to counter. C allows us to have as many actions as we want in a sequence structure. As we’ll soon see, anywhere a single action may be placed, we may place several actions in sequence.

When drawing a flowchart that represents a complete algorithm, a rounded rectangle symbol containing the word “Begin” is the first symbol used in the flowchart; a rounded rectangle symbol containing the word “End” is the last symbol used. When drawing only a portion of an algorithm as in Fig. 3.1, the rounded rectangle symbols are omitted in favor of using small circle symbols, also called connector symbols.

Perhaps the most important flowcharting symbol is the diamond symbol, also called the decision symbol, which indicates that a decision is to be made. We’ll discuss the diamond symbol in the next section.

That’s all there is. C has only seven control statements: sequence, three types of selection and three types of repetition. Each C program is formed by combining as many of each type of control statement as is appropriate for the algorithm the program implements. As with the sequence structure of Fig. 3.1, we’ll see that the flowchart representation of each control statement has two small circle symbols, one at the entry point to the control statement and one at the exit point. These single-entry/single-exit control statements make it easy to build clear programs. The control-statement flowchart segments can be attached to one another by connecting the exit point of one control statement to the entry point of the next. We call this control-statement stacking. There’s only one other way control statements may be connected—a method called control-statement nesting. Thus, any C program we’ll ever need to build can be constructed from only seven different types of control statements combined in only two ways. This is the essence of simplicity.

determines whether the condition grade >= 60 is true or false. If the condition is true, then "Passed" is printed, and the next statement in order is performed. If the condition is false, the printing is skipped, and the next statement in order is performed. The second line of this selection structure is indented. Such indentation is optional, but it’s highly recommended, as it helps emphasize the inherent structure of structured programs. The C compiler ignores white-space characters such as blanks, tabs and newlines used for indentation and vertical spacing.

The flowchart of Fig. 3.2 illustrates the single-selection if statement. The diamond-shaped decision symbol contains an expression, such as a condition, that can be either true or false. The decision symbol has two flowlines emerging from it. One indicates the direction to take when the expression in the symbol is true and the other the direction to take when the expression is false. Decisions can be based on conditions containing relational or equality operators. In fact, a decision can be based on any expression—if the expression evaluates to zero, it’s treated as false, and if it evaluates to nonzero, it’s treated as true.

prints "Passed" if the student’s grade is greater than or equal to 60 and "Failed" if the student’s grade is less than 60. In either case, after printing occurs, the next statement in sequence is performed. The body of the else is also indented. The flowchart of Fig. 3.3 illustrates the flow of control in this if...else statement.

contains as its argument a conditional expression that evaluates to the string "Passed" if the condition grade >= 60 is true and to the string "Failed" if the condition is false. The puts statement performs in essentially the same way as the preceding if...else statement.

The second and third operands in a conditional expression can also be actions to be executed. For example, the conditional expression

is read, “If grade is greater than or equal to 60, then puts("Passed"), otherwise puts("Failed").” This, too, is comparable to the preceding if...else statement. We’ll see that conditional operators can be used in some places where if...else statements cannot.

If the variable grade is greater than or equal to 90, all four conditions will be true, but only the puts statement after the first test will by executed. After that, the else part of the outer if...else statement is skipped and execution proceeds with the first statement after the entire code segment.

You may prefer to write the preceding if statement as

As far as the C compiler is concerned, both forms are equivalent. The latter is popular because it avoids the deep indentation of the code to the right. Such indentation can leave little room on a line, forcing lines to be split and decreasing program readability.

The if selection statement expects only one statement in its body—if you have only one statement in the if’s body, you do not need to enclose it in braces. To include several statements in the body of an if, you must enclose the set of statements in braces ({ and }). A set of statements contained within a pair of braces is called a compound statement or a block.

The following example includes a compound statement in the else part of an if...else statement.

Click here to view code image

In this case, if grade is less than 60, the program executes both puts statements in the body of the else and prints

Click here to view code image

The braces surrounding the two statements in the else clause are important. Without them, the statement

would be outside the body of the else part of the if and would always execute, regardless of whether grade was less than 60.

Just as a compound statement can be placed anywhere a single statement can be placed, it’s also possible to have no statement at all, i.e., the empty statement. The empty statement is represented by placing a semicolon (;) where a statement would normally be.

As an example of a while repetition statement, consider a program segment designed to find the first power of 3 larger than 100. Suppose the integer variable product has been initialized to 3. When the following while repetition statement finishes executing, product will contain the desired answer:

When the while statement is entered, the value of product is 3. The variable product is repeatedly multiplied by 3, taking on the values 9, 27 and 81 successively. When product becomes 243, the condition in the while statement, product <= 100, becomes false. This terminates the repetition, and the final value of product is 243. Program execution continues with the next statement after the while.

A class of ten students took a quiz. The grades (integers in the range 0 to 100) for this quiz are available to you. Determine the class average on the quiz.

The class average is equal to the sum of the grades divided by the number of students. The C program that solves this problem inputs each of the grades, performs the averaging calculation and prints the result (Fig. 3.5).

Click here to view code image

We use counter-controlled repetition to input the grades one at a time. This technique uses a counter to specify the number of times a set of statements should execute. In this example, repetition terminates when the counter exceeds 10.

We use a total and a counter. Because the counter variable is used to count from 1 to 10 in this program (all positive values), we declared the variable as an unsigned int, which can store only non-negative values (that is, 0 and higher).

The averaging calculation in the program produced an integer result of 81. Actually, the sum of the grades in this sample execution is 817, which when divided by 10 should yield 81.7, i.e., a number with a decimal point. We’ll see how to deal with such floating-point numbers in the next section.

Develop a class-averaging program that will process an arbitrary number of grades each time the program is run.

In the first class-average example, the number of grades (10) was known in advance. In this example, no indication is given of how many grades are to be entered. The program must process an arbitrary number of grades.

One way to solve this problem is to use a special value called a sentinel value (also called a signal value, a dummy value, or a flag value) to indicate “end of data entry.” The user types in grades until all legitimate grades have been entered. The user then types the sentinel value to indicate that “the last grade has been entered.”

Clearly, the sentinel value must be chosen so that it cannot be confused with an acceptable input value. Because grades on a quiz are normally nonnegative integers, –1 is an acceptable sentinel for this problem. Thus, a run of the class-average program might process a stream of inputs such as 95, 96, 75, 74, 89 and –1. The program would then compute and print the class average for the grades 95, 96, 75, 74, and 89 (the sentinel value –1 should not enter into the averaging calculation).

The program and a sample execution are shown in Fig. 3.6. Although only integer grades are entered, the averaging calculation is likely to produce a number with a decimal point. The type int cannot represent such a number. The program introduces the data type float to handle such floating-point numbers.

Click here to view code image

Notice the compound statement in the while loop (line 24) in Fig. 3.6. Once again, the braces are necessary to ensure that all four statements are executed within the loop. Without the braces, the last three statements in the body of the loop would fall outside the loop, causing the computer to interpret this code incorrectly as follows.

Click here to view code image

This would cause an infinite loop if the user did not input -1 for the first grade.

includes the cast operator (float), which creates a temporary floating-point copy of its operand, total. The value in total is still an integer. The cast operator performs an explicit conversion. The calculation now consists of a floating-point value (the temporary float version of total) divided by the unsigned int value stored in counter. C evaluates arithmetic expressions only in which the data types of the operands are identical. To ensure that the operands are of the same type, the compiler performs an operation called implicit conversion on selected operands. For example, in an expression containing the data types unsigned int and float, copies of unsigned int operands are made and converted to float. In our example, after a copy of counter is made and converted to float, the calculation is performed and the result of the floating-point division is assigned to average. C provides a set of rules for conversion of operands of different types. We discuss this further in Chapter 5.

Cast operators are available for most data types—they’re formed by placing parentheses around a type name. Each cast operator is a unary operator, i.e., an operator that takes only one operand. In Chapter 2, we studied the binary arithmetic operators. C also supports unary versions of the plus (+) and minus (-) operators, so you can write expressions such as +7 or –5. Cast operators associate from right to left and have the same precedence as other unary operators such as unary + and unary -. This precedence is one level higher than that of the multiplicative operators *, / and %.

Click here to view code image

Another way floating-point numbers develop is through division. When we divide 10 by 3, the result is 3.3333333... with the sequence of 3s repeating infinitely. The computer allocates only a fixed amount of space to hold such a value, so the stored floating-point value can be only an approximation.

Consider the following problem statement:

A college offers a course that prepares students for the state licensing exam for real estate brokers. Last year, 10 of the students who completed this course took the licensing examination. Naturally, the college wants to know how well its students did on the exam. You’ve been asked to write a program to summarize the results. You’ve been given a list of these 10 students. Next to each name a 1 is written if the student passed the exam and a 2 if the student failed.

Your program should analyze the results of the exam as follows:

1. Input each test result (i.e., a 1 or a 2). Display the prompting message “Enter result” each time the program requests another test result.

2. Count the number of test results of each type.

3. Display a summary of the test results indicating the number of students who passed and the number who failed.

4. If more than eight students passed the exam, print the message “Bonus to instructor!”

After reading the problem statement carefully, we make the following observations:

1. The program must process 10 test results. A counter-controlled loop will be used.

2. Each test result is a number—either a 1 or a 2. Each time the program reads a test result, the program must determine whether the number is a 1 or a 2. We test for a 1 in our algorithm. If the number is not a 1, we assume that it’s a 2. As an exercise, you should modify the program to explicitly test for 2 and issue an error message if the test result is neither 1 nor 2.

3. Two counters are used—one to count the number of students who passed the exam and one to count the number of students who failed the exam.

4. After the program has processed all the results, it must decide whether more than 8 students passed the exam.

The C program and two sample executions are shown in Fig. 3.7. We’ve taken advantage of a feature of C that allows initialization to be incorporated into definitions (lines 9–11). Such initialization occurs at compile time. Also, notice that when you output an unsigned int you use the %u conversion specifier (lines 33–34).

Click here to view code image

can be abbreviated with the addition assignment operator += as

The += operator adds the value of the expression on the right of the operator to the value of the variable on the left of the operator and stores the result in the variable on the left of the operator. Any statement of the form

where operator is one of the binary operators +, -, *, / or % (or others we’ll discuss in Chapter 10), can be written in the form

Thus the assignment c += 3 adds 3 to c. Figure 3.8 shows the arithmetic assignment operators, sample expressions using these operators and explanations.

Click here to view code image

The program displays the value of c before and after the ++ operator is used. The decrement operator (--) works similarly.

The three assignment statements in Fig. 3.7

can be written more concisely with assignment operators as

with preincrement operators as

or with postincrement operators as

It’s important to note here that when incrementing or decrementing a variable in a statement by itself, the preincrement and postincrement forms have the same effect. It’s only when a variable appears in the context of a larger expression that preincrementing and postincrementing have different effects (and similarly for predecrementing and post-decrementing). Of the expressions we’ve studied thus far, only a simple variable name may be used as the operand of an increment or decrement operator.

Figure 3.11 lists the precedence and associativity of the operators introduced to this point. The operators are shown top to bottom in decreasing order of precedence. The second column indicates the associativity of the operators at each level of precedence. Notice that the unary operators increment (++), decrement (--), plus (+), minus (-) and casts, and the assignment operators =, +=, -=, *=, /= and %=, and the conditional operator (?:) associate from right to left. The third column names the various groups of operators. All other operators in Fig. 3.11 associate from left to right.

Even this simple statement has a potential problem—adding the integers could result in a value that’s too large to store in an int variable. This is known as arithmetic overflow and can cause undefined behavior, possibly leaving a system open to attack.

The maximum and minimum values that can be stored in an int variable are represented by the constants INT_MAX and INT_MIN, respectively, which are defined in the header <limits.h>. There are similar constants for the other integral types that we’ll be introducing in Chapter 4. You can see your platform’s values for these constants by opening the header <limits.h> in a text editor.

It’s considered a good practice to ensure that before you perform arithmetic calculations like the one in line 18 of Fig. 2.5, they will not overflow. The code for doing this is shown on the CERT website www.securecoding.cert.org—just search for guideline “INT32-C.” The code uses the && (logical AND) and || (logical OR) operators (introduced in Chapter 4). In industrial-strength code, you should perform checks like these for all calculations. In later chapters, we’ll show other programming techniques for handling such errors.

The class-averaging program in Fig. 3.5 could have declared as unsigned int the variables grade, total and average. Grades are normally values from 0 to 100, so the total and average should each be greater than or equal to 0. We declared those variables as ints because we can’t control what the user actually enters—the user could enter negative values. Worse yet, the user could enter a value that’s not even a number. (We’ll show how to deal with such inputs later in the book.)

Sometimes sentinel-controlled loops use invalid values to terminate a loop. For example, the class-averaging program of Fig. 3.6 terminates the loop when the user enters the sentinel -1 (an invalid grade), so it would be improper to declare variable grade as an unsigned int. As you’ll see, the end-of-file (EOF) indicator—which is introduced in the next chapter and is often used to terminate sentinel-controlled loops—is also a negative number. For more information, see Chapter 5, Integer Security, of Robert Seacord’s book Secure Coding in C and C++.

Microsoft implemented its own versions of printf_s and scanf_s prior to the publication of the C11 standard and immediately began issuing compiler warnings for every scanf call. The warnings say that scanf is deprecated—it should no longer be used—and that you should consider using scanf_s instead.

Many organizations have coding standards that require code to compile without warning messages. There are two ways to eliminate Visual C++’s scanf warnings—you can use scanf_s instead of scanf or you can disable these warnings. For the input statements we’ve used so far, Visual C++ users can simply replace scanf with scanf_s. You can disable the warning messages in Visual C++ as follows:

1. Type Alt F7 to display the Property Pages dialog for your project.

2. In the left column, expand Configuration Properties > C/C++ and select Preprocessor.

3. In the right column, at the end of the value for Preprocessor Definitions, insert

4. Click OK to save the changes.

You’ll no longer receive warnings on scanf (or any other functions that Microsoft has deprecated for similar reasons). For industrial-strength coding, disabling the warnings is discouraged. We’ll say more about how to use scanf_s and printf_s in a later Secure C Coding Guidelines section.