GitHub
CERT Secure Coding

MSC04-PL. Do not use comma to separate statements

Perl's comma operator , performs several duties. The most widely known duty is to serve as a list separator:

my @list = (2, 3, 5, 7);

Outside of list context, the comma can also be used to combine multiple expressions into one statement. Each expression is evaluated, and its result is discarded. The last expression's result is returned as the result of the comma operator. Comma operators are called thin commas [ Conway 2005 ]. This behavior was adopted from C.

The potential for confusing thin commas with commas in list context is large enough to forbid use of thin commas. Commas must be used only to separate items in list context.

Noncompliant Code Example

This code example validates a file and indicates if it exists.

Non-compliant code
sub validate_file {
  my $file = shift(@_);
  if (-e $file) {
    return 1; # file exists
  }
  die "$file does not exist";
}

my $file = $ARGV[0];
validate_file($file), print "hi!\n";

This code behaves as expected. The comma operator is used to separate the call to validate_file and subsequent call to print in the same statement. Consequently, the return value of validate_file is discarded before print is called.

This line of code looks like it would behave the same but instead behaves quite differently:

Non-compliant code
print validate_file($file), "hi!\n";

The print statement takes a list of items to print, and, in list context, the comma operator is assumed to separate list items. Consequently, if the file is valid, this program prints 1 before its friendly greeting.

Compliant Solution (Segregation)

This compliant solution segregates the call to validate_file into a separate statement.

Compliant code
validate_file($file);
print "hi!\n";

Compliant Solution ( do )

If multiple functions must be invoked within one statement, a do block can be used to evaluate a list of expressions without using list context.

Compliant code
print do { validate_file($file); "hi!\n"};

Risk Assessment

Using commas to separate statements can lead to unexpected program behavior and surprising results.

RecommendationSeverityLikelihoodRemediation CostPriorityLevel
MSC04-PLLowProbableMediumP4L3

Automated Detection

ToolDiagnostic
Perl::CriticValuesAndExpressions::ProhibitCommaSeparatedStatements

Bibliography

[ Conway 2005 ]"Thin Commas," p. 68
[ CPAN ]Elliot Shank, Perl-Critic-1.116 ValuesAndExpressions::ProhibitCommaSeparatedStatements