Although many common implementations use a two's complement representation of signed integers, the C99 standard declares this as C Standard declares such use as implementation-defined, and allows all of the following representations:
- Sign and magnitude
- Two's complement
- OnesOne's complement
This is a specific example of the recommendation MSC14-C. Do not introduce unnecessary platform dependencies.
...
One way to check whether a number is even or odd is to examine the least significant bit. This will give inconsistent results, but the results will be inconsistent. Specifically, this example will give gives unexpected behavior on all onesone's complement implementations.:
Code Block | ||||
---|---|---|---|---|
| ||||
int value; if (scanf("%d", &value) == 1) { if (value & 0x1 !== 10) { /* doTake somethingaction if value is odd */ } } |
Compliant Solution
The same thing can be achieved compliantly using the modulo operator.:
Code Block | ||||
---|---|---|---|---|
| ||||
int value; if (scanf("%d", &value) == 1) { if (value % 2 != 0) { /* Take action if value is odd */ } } |
Compliant Solution
Using bitwise operators is safe on unsigned integers:
Code Block | ||||
---|---|---|---|---|
| ||||
unsigned int value; if (scanf("%u", &value) == 1) { if (value & 0x1 != 0) { /* doTake somethingaction if value is odd */ } } |
Risk Assessment
Incorrect assumptions about integer representation can lead to execution of unintended code branches and other unexpected behavior.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
INT16-C |
Medium |
Unlikely |
High | P2 | L3 |
Related Guidelines
ISO/IEC 9899:1999 Section 6.2.6.2
Bibliography
Automated Detection
Tool | Version | Checker | Description | ||||||
Astrée |
| bitop-type | Partially checked | ||||||
Helix QAC |
| C2940, C2945 DF2941, DF2942, DF2943, DF2946, DF2947, DF2948 | |||||||
LDRA tool suite |
| 50 S, 120 S | Partially Implemented | ||||||
Parasoft C/C++test |
| CERT_C-INT16-a | Bitwise operators shall only be applied to operands of unsigned underlying type | ||||||
PC-lint Plus |
| 502, 2704, 9088 | Partially supported: reports bitwise not of signed quantity, declaration of named signed single-bit bitfields, and negation of the minimum negative integer | ||||||
RuleChecker |
| bitop-type | Partially checked |
...