CERT C: Rec. INT16-C

Do not make assumptions about representation of signed integers

Since R2026a

expand all in page

Description

Do not make assumptions about representation of signed integers1

Polyspace Implementation

The rule checker checks for Bitwise operation on signed operand.

Examples

expand all

Issue

This issue occurs when you perform bitwise operations or shift operations on signed operands.

As an exception, Polyspace® does not report a violation on a signed left operand of a shift operation if all of these conditions are true:

  • The signed left operand is a nonnegative constant expression.

  • The type of the signed left operand before integral promotion uses two's complement representation.

  • The right operand of the shift operator is a constant expression with minimum value of 0 and a maximum value of (sizeof(T)*CHAR_BIT-1), where T is the type of the right operand.

  • The shift operation does not shift into or beyond the most significant bit or the sign bit.

Risk

Performing bitwise operations and shift operations on signed operands can result in implementation-defined behavior. For example, these operations can cause undefined or implementation-defined behavior:

  • Shifting a right operand value that is greater than or equal to the size in bits of the promoted type of the left operand

  • Shifting by a negative value

  • Left shifting a signed operand

  • Right shifting a negative value

Fix

Use unsigned operands when performing bitwise operations and shift operations because the result of the operation is defined when the sign bit is unaffected.

Example — Bitwise operations and shift operation using signed operands

In this example, the bits of an integer variable are used as flags that are set and checked against an integer mask by using bitwise operations. The integer variable and the masks are signed integers, which makes this code implementation-dependent. This code shows unexpected behavior if the integer is not a 32-bit integer with two's complement representation.

#include <stdio.h>

// Define masks for each flag using bit shifts
#define ENABLE_FEATURE_A (1 << 0) // 0000...0001
#define ENABLE_FEATURE_B (1 << 1) // 0000...0010
#define ENABLE_FEATURE_C (1 << 2) // 0000...0100
#define IS_SIGNED       (1 << 31) // 1000...0000 (sign bit for 32-bit int) //Noncompliant

void setFlag(int *flags, int mask) {
    *flags |= mask; //Noncompliant - Signed right and left operands 
}

void clearFlag(int *flags, int mask) {
    *flags &= ~mask; //Noncompliant - Signed right and left operands 
}

int checkFlag(int flags, int mask) {
    return (flags & mask) != 0;  //Noncompliant - Signed right and left operands 
}

int main() {
    int config = 0; // Initial configuration with all flags cleared

    // Set some flags
    setFlag(&config, ENABLE_FEATURE_A);
    setFlag(&config, ENABLE_FEATURE_C);

    // Check flags
    printf("Feature A enabled: %s\n", checkFlag(config, ENABLE_FEATURE_A) ? "Yes" : "No");
    printf("Feature B enabled: %s\n", checkFlag(config, ENABLE_FEATURE_B) ? "Yes" : "No");
    printf("Feature C enabled: %s\n", checkFlag(config, ENABLE_FEATURE_C) ? "Yes" : "No");
    printf("Is Signed: %s\n", checkFlag(config, IS_SIGNED) ? "Yes" : "No");

    // Clear a flag
    clearFlag(&config, ENABLE_FEATURE_A);
    printf("Feature A enabled after clearing: %s\n", checkFlag(config, ENABLE_FEATURE_A) ? "Yes" : "No");

    return 0;
}
Correction

To fix the violations, use unsigned operands for the shift and bitwise operations. 

#include <stdio.h>
typedef unsigned int uint;
// Define masks for each flag using bit shifts
#define ENABLE_FEATURE_A (1U << 0) // 0000...0001
#define ENABLE_FEATURE_B (1U << 1) // 0000...0010
#define ENABLE_FEATURE_C (1U << 2) // 0000...0100
#define IS_SIGNED       (1U << 31) // 1000...0000 //Compliant

void setFlag(uint *flags, uint mask) {
    *flags |= mask; // Compliant
}

void clearFlag(uint *flags, uint mask) {
    *flags &= ~mask; // Compliant
}

int checkFlag(uint flags, uint mask) {
    return (flags & mask) != 0; // Compliant
}

int main() {
    uint config = 0; // Initial configuration with all flags cleared

    // Set some flags
    setFlag(&config, ENABLE_FEATURE_A);
    setFlag(&config, ENABLE_FEATURE_C);

    // Check flags
    printf("Feature A enabled: %s\n", checkFlag(config, ENABLE_FEATURE_A) ? "Yes" : "No");
    printf("Feature B enabled: %s\n", checkFlag(config, ENABLE_FEATURE_B) ? "Yes" : "No");
    printf("Feature C enabled: %s\n", checkFlag(config, ENABLE_FEATURE_C) ? "Yes" : "No");
    printf("Is Signed: %s\n", checkFlag(config, IS_SIGNED) ? "Yes" : "No");

    // Clear a flag
    clearFlag(&config, ENABLE_FEATURE_A);
    printf("Feature A enabled after clearing: %s\n", checkFlag(config, ENABLE_FEATURE_A) ? "Yes" : "No");

    return 0;
}

Check Information

Group: Rec. 04. Integers (INT)
PQL Name: std.cert.INT16_C

Version History

Introduced in R2026a

See Also

Topics

1 This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.