MISRA Discussion Forums MISRA C MISRA C:2012 and MISRA C:2023 guidelines 8.10 The essential type model
10.3 Clarification on assigning unsigned literal to signed

Thread Closed 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
10.3 Clarification on assigning unsigned literal to signed
michael.metivier Offline
Junior Member
**
Posts: 11
Threads: 7
Joined: Mar 2013
Reputation: 0
#1
08-02-2016, 02:54 PM
Quote:A non-negative integer constant expression of essentially signed type may be assigned to an object of essentially unsigned type if its value can be represented in that type.

While Rule 10.3 has this Exception for constructions similar to
Code:
uint8_t u8a = 0;    /* By exception */
there does not seem to be a similar exception for the inverse
Code:
int8_t s8a = 1u;    /* Compliant? */
Our current analysis tool flags this as an error, but this assignment seems no more dangerous than the one given by the Example. Is there a specific rationale for why this assignment should not be allowed, given the condition of the Exception
Quote:if its value can be represented in that type.
?
<t></t>
Find
misra-c Offline
Senior Member
****
Posts: 632
Threads: 18
Joined: Jan 2006
Reputation: 1
#2
18-02-2016, 08:51 AM
The exception was created for signed literals as coders frequently omit the "U" suffix and it seemed over harsh to prevent such assignments.

If a coder has added the suffix "U", this explicitly signals an intention that the literal should be "unsigned" and therefore should only used in an essentially unsigned context. The view of the working group was that assigning such literals to a signed object could indicate a programming error and should therefore raise a violation.
Code:
int8_t s8a = 1u;   /*Non-compliant */
Posted by and on behalf of the MISRA C Working Group
Find
danielmarjamaki Offline
Junior Member
**
Posts: 7
Threads: 3
Joined: Apr 2017
Reputation: 0
#3
22-05-2018, 01:05 PM
hmm.. in my humble opinion, I see no real danger with that code.

If the "U" is removed, that is a ok fix. If a cast is added to fix the warning then I do see danger.

How do you feel if a cast is added like:
Code:
int8_t s8a = (int8_t)VALUE;

And then sometime in the future, the VALUE is changed to 256? Unless I am mistaken, there is no compiler/tool warning? The code will continue to "work".
<t></t>
Find
misra-c Offline
Senior Member
****
Posts: 632
Threads: 18
Joined: Jan 2006
Reputation: 1
#4
18-10-2018, 01:25 PM
The result of the cast "(int8_t)256U" is implementation-defined since 256 can not be represented by a signed 8-bit type. A tool supporting directive 1.1 may generate a warning in order to direct the user to document the behaviour of such a cast.

We would recommend removing the "U" rather than adding a cast.
Code:
int8_t s8a = 256;  // implicit narrowing conversion violates rule 10.3
An alternative would be to use a mask so that the value always fits the int8_t range.
Code:
int8_t s8a = (int8_t)(256U & 0xffU);
Posted by and on behalf of the MISRA C Working Group
Find
Thread Closed 


Forum Jump:


Users browsing this thread: 3 Guest(s)