RULE-7-0-4 - InappropriateBitwiseOrShiftOperands

lcartey · lcartey · commit 6845cdc76431 · 2025-07-04T11:23:10.000+01:00
Detects inappropriate operands for bitwise and shift operators that
violate type requirements. Identifies signed operands in bitwise
operations and improper shift operand types that may cause undefined
behavior. [a]
diff --git a/cpp/misra/src/rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.ql b/cpp/misra/src/rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.ql
@@ -0,0 +1,124 @@
+/**
+ * @id cpp/misra/inappropriate-bitwise-or-shift-operands
+ * @name RULE-7-0-4: The operands of bitwise operators and shift operators shall be appropriate
+ * @description Bitwise and shift operators should only be applied to operands of appropriate types
+ *              and values to avoid implementation-defined or undefined behavior.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity error
+ * @tags external/misra/id/rule-7-0-4
+ *       scope/single-translation-unit
+ *       external/misra/enforcement/decidable
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.cpp.misra
+import codingstandards.cpp.misra.BuiltInTypeRules
+
+predicate isSignedType(NumericType t) { t.getSignedness() = Signed() }
+
+predicate isUnsignedType(NumericType t) { t.getSignedness() = Unsigned() }
+
+predicate isConstantExpression(Expr e) {
+  e instanceof Literal or
+  e.isConstant()
+}
+
+predicate isValidShiftConstantRange(Expr right, Type leftType) {
+  exists(int value |
+    value = right.getValue().toInt() and
+    value >= 0 and
+    value < leftType.getSize() * 8
+  )
+}
+
+predicate isSignedConstantLeftShiftException(LShiftExpr shift) {
+  exists(Expr left, Expr right, NumericType leftType, int leftVal, int rightVal, int maxBit |
+    left = shift.getLeftOperand() and
+    right = shift.getRightOperand() and
+    leftType = left.getType() and
+    isConstantExpression(left) and
+    isConstantExpression(right) and
+    isSignedType(leftType) and
+    isValidShiftConstantRange(right, leftType) and
+    leftVal = left.getValue().toInt() and
+    rightVal = right.getValue().toInt() and
+    leftVal >= 0 and
+    maxBit = leftType.getSize() * 8 - 1 and
+    // Check that no set bit is shifted into or beyond the sign bit
+    leftVal * 2.pow(rightVal) < 2.pow(maxBit)
+  )
+}
+
+class BinaryShiftOperation extends BinaryOperation {
+  BinaryShiftOperation() {
+    this instanceof LShiftExpr or
+    this instanceof RShiftExpr
+  }
+}
+
+class AssignShiftOperation extends AssignOperation {
+  AssignShiftOperation() {
+    this instanceof AssignLShiftExpr or
+    this instanceof AssignRShiftExpr
+  }
+}
+
+from Expr x, string message
+where
+  not isExcluded(x, ConversionsPackage::inappropriateBitwiseOrShiftOperandsQuery()) and
+  (
+    // Binary bitwise operators (excluding shift operations) - both operands must be unsigned
+    exists(BinaryBitwiseOperation op |
+      not op instanceof BinaryShiftOperation and
+      op = x and
+      not (
+        isUnsignedType(op.getLeftOperand().getExplicitlyConverted().getType()) and
+        isUnsignedType(op.getRightOperand().getExplicitlyConverted().getType())
+      ) and
+      message =
+        "Binary bitwise operator '" + op.getOperator() + "' requires both operands to be unsigned."
+    )
+    or
+    // Compound assignment bitwise operators - both operands must be unsigned
+    exists(AssignBitwiseOperation op |
+      not op instanceof AssignShiftOperation and
+      op = x and
+      not (
+        isUnsignedType(op.getLValue().getExplicitlyConverted().getType()) and
+        isUnsignedType(op.getRValue().getExplicitlyConverted().getType())
+      ) and
+      message =
+        "Compound assignment bitwise operator '" + op.getOperator() +
+          "' requires both operands to be unsigned."
+    )
+    or
+    // Bit complement operator - operand must be unsigned
+    exists(ComplementExpr comp |
+      comp = x and
+      not isUnsignedType(comp.getOperand().getExplicitlyConverted().getType()) and
+      message = "Bit complement operator '~' requires unsigned operand."
+    )
+    or
+    // Shift operators - left operand must be unsigned
+    exists(BinaryShiftOperation shift |
+      shift = x and
+      not isUnsignedType(shift.getLeftOperand().getExplicitlyConverted().getType()) and
+      not isSignedConstantLeftShiftException(shift) and
+      message = "Shift operator '" + shift.getOperator() + "' requires unsigned left operand."
+    )
+    or
+    // Shift operators - right operand must be unsigned or constant in valid range
+    exists(BinaryShiftOperation shift, Expr right |
+      shift = x and
+      shift = x and
+      right = shift.getRightOperand() and
+      not isUnsignedType(right.getExplicitlyConverted().getType()) and
+      not isValidShiftConstantRange(right, shift.getLeftOperand().getExplicitlyConverted().getType()) and
+      message =
+        "Shift operator '" + shift.getOperator() +
+          "' requires unsigned right operand or constant in valid range."
+    )
+  )
+select x, message
diff --git a/cpp/misra/test/rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.expected b/cpp/misra/test/rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.expected
@@ -0,0 +1,25 @@
+| test.cpp:14:3:14:13 | ... & ... | Binary bitwise operator '&' requires both operands to be unsigned. |
+| test.cpp:15:3:15:13 | ... \| ... | Binary bitwise operator '\|' requires both operands to be unsigned. |
+| test.cpp:16:3:16:13 | ... ^ ... | Binary bitwise operator '^' requires both operands to be unsigned. |
+| test.cpp:18:3:18:13 | ... & ... | Binary bitwise operator '&' requires both operands to be unsigned. |
+| test.cpp:19:3:19:13 | ... \| ... | Binary bitwise operator '\|' requires both operands to be unsigned. |
+| test.cpp:30:3:30:15 | ... &= ... | Compound assignment bitwise operator '&=' requires both operands to be unsigned. |
+| test.cpp:31:3:31:15 | ... \|= ... | Compound assignment bitwise operator '\|=' requires both operands to be unsigned. |
+| test.cpp:32:3:32:15 | ... ^= ... | Compound assignment bitwise operator '^=' requires both operands to be unsigned. |
+| test.cpp:42:3:42:6 | ~ ... | Bit complement operator '~' requires unsigned operand. |
+| test.cpp:54:3:54:9 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:55:3:55:11 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:63:3:63:18 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:74:3:74:11 | ... << ... | Shift operator '<<' requires unsigned right operand or constant in valid range. |
+| test.cpp:75:3:75:11 | ... >> ... | Shift operator '>>' requires unsigned right operand or constant in valid range. |
+| test.cpp:85:3:85:11 | ... << ... | Shift operator '<<' requires unsigned right operand or constant in valid range. |
+| test.cpp:86:3:86:11 | ... << ... | Shift operator '<<' requires unsigned right operand or constant in valid range. |
+| test.cpp:87:3:87:11 | ... >> ... | Shift operator '>>' requires unsigned right operand or constant in valid range. |
+| test.cpp:97:3:97:9 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:98:3:98:9 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:99:3:99:9 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:100:3:100:9 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:104:3:104:11 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:106:3:106:17 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:112:3:112:10 | ... << ... | Shift operator '<<' requires unsigned left operand. |
+| test.cpp:120:3:120:11 | ... >> ... | Shift operator '>>' requires unsigned left operand. |
diff --git a/cpp/misra/test/rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.qlref b/cpp/misra/test/rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.qlref
@@ -0,0 +1 @@
+rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.ql
diff --git a/cpp/misra/test/rules/RULE-7-0-4/test.cpp b/cpp/misra/test/rules/RULE-7-0-4/test.cpp
@@ -0,0 +1,121 @@
+#include <climits>
+#include <cstdint>
+
+void test_binary_bitwise_operators_unsigned_operands() {
+  std::uint32_t u32a = 0x12345678U;
+  std::uint32_t u32b = 0x87654321U;
+  std::int32_t s32a = 0x12345678;
+  std::int32_t s32b = 0x87654321;
+
+  u32a & u32b; // COMPLIANT
+  u32a | u32b; // COMPLIANT
+  u32a ^ u32b; // COMPLIANT
+
+  s32a & s32b; // NON_COMPLIANT
+  s32a | s32b; // NON_COMPLIANT
+  s32a ^ s32b; // NON_COMPLIANT
+
+  s32a & u32b; // NON_COMPLIANT
+  u32a | s32b; // NON_COMPLIANT
+}
+
+void test_compound_assignment_bitwise_operators() {
+  std::uint32_t u32 = 0x12345678U;
+  std::int32_t s32 = 0x12345678;
+
+  u32 &= 0xFFFFU; // COMPLIANT
+  u32 |= 0x1000U; // COMPLIANT
+  u32 ^= 0x5555U; // COMPLIANT
+
+  s32 &= 0xFFFF; // NON_COMPLIANT
+  s32 |= 0x1000; // NON_COMPLIANT
+  s32 ^= 0x5555; // NON_COMPLIANT
+}
+
+void test_bit_complement_operator() {
+  std::uint32_t u32 = 0x12345678U;
+  std::uint8_t u8 = 0x55U;
+  std::int32_t s32 = 0x12345678;
+
+  ~u32; // COMPLIANT
+  ~u8;  // COMPLIANT
+  ~s32; // NON_COMPLIANT
+}
+
+void test_shift_operators_left_operand_type() {
+  std::uint32_t u32 = 0x12345678U;
+  std::uint8_t u8 = 2U;
+  std::int32_t s32 = 0x12345678;
+
+  1U << u8;  // COMPLIANT
+  1U << 31;  // COMPLIANT
+  u32 << 2U; // COMPLIANT
+
+  1 << u8;   // NON_COMPLIANT
+  s32 << 2U; // NON_COMPLIANT
+}
+
+void test_shift_operators_with_promotion() {
+  std::uint8_t u8 = 1U;
+  std::uint16_t u16 = 2U;
+
+  static_cast<std::uint16_t>(u8 + u16) << 2U; // COMPLIANT
+  (u8 + u16) << 2U;                           // NON_COMPLIANT
+}
+
+void test_shift_operators_right_operand_unsigned() {
+  std::uint32_t u32 = 0x12345678U;
+  std::uint8_t u8 = 2U;
+  std::int8_t s8 = 2;
+
+  u32 << u8; // COMPLIANT
+  u32 >> u8; // COMPLIANT
+
+  u32 << s8; // NON_COMPLIANT
+  u32 >> s8; // NON_COMPLIANT
+}
+
+void test_shift_operators_right_operand_constant_range() {
+  std::uint32_t u32 = 0x12345678U;
+
+  u32 << 0;  // COMPLIANT
+  u32 << 31; // COMPLIANT
+  u32 >> 15; // COMPLIANT
+
+  u32 << 32; // NON_COMPLIANT
+  u32 << 64; // NON_COMPLIANT
+  u32 >> 32; // NON_COMPLIANT
+}
+
+void test_exception_signed_constant_left_operand() {
+  // Exception cases for signed constant expressions
+  1 << 30; // COMPLIANT
+  2 << 29; // COMPLIANT
+  4 << 28; // COMPLIANT
+  8 << 27; // COMPLIANT
+
+  1 << 31; // NON_COMPLIANT
+  2 << 30; // NON_COMPLIANT
+  4 << 29; // NON_COMPLIANT
+  8 << 28; // NON_COMPLIANT
+
+  1LL << 31; // COMPLIANT - 64 bit type
+  1LL << 62; // COMPLIANT - 64 bit type
+  1LL << 63; // NON_COMPLIANT - 64 bit type
+
+  0x40000000 << 1; // NON_COMPLIANT
+}
+
+void test_exception_non_constant_signed_operand() {
+  std::int32_t s32 = 1;
+
+  s32 << 2; // NON_COMPLIANT
+}
+
+void test_right_shift_signed_operands() {
+  std::uint32_t u32 = 0x80000000U;
+  std::int32_t s32 = -1;
+
+  u32 >> 1U; // COMPLIANT
+  s32 >> 1U; // NON_COMPLIANT
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+rules/RULE-7-0-4/InappropriateBitwiseOrShiftOperands.ql`