RULE-7-0-5 - NoSignednessChangeFromPromotion

lcartey · lcartey · commit a2d7ee33ccf5 · 2025-06-26T20:41:27.000+01:00
Detects integral promotions and arithmetic conversions that change the
signedness or type category of operands, preventing unexpected behavior
from implicit type conversions. [a]
diff --git a/cpp/misra/src/rules/RULE-7-0-5/NoSignednessChangeFromPromotion.ql b/cpp/misra/src/rules/RULE-7-0-5/NoSignednessChangeFromPromotion.ql
@@ -0,0 +1,88 @@
+/**
+ * @id cpp/misra/no-signedness-change-from-promotion
+ * @name RULE-7-0-5: Integral promotion and the usual arithmetic conversions shall not change the signedness or the type
+ * @description Integral promotion and usual arithmetic conversions that change operand signedness
+ *              or type category may cause unexpected behavior or undefined behavior when operations
+ *              overflow.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity error
+ * @tags external/misra/id/rule-7-0-5
+ *       scope/single-translation-unit
+ *       external/misra/enforcement/decidable
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.cpp.misra
+import codingstandards.cpp.misra.BuiltInTypeRules
+
+/**
+ * A `Conversion` that is relevant for the rule.
+ */
+abstract class RelevantConversion extends Conversion {
+  NumericType fromType;
+  NumericType toType;
+
+  RelevantConversion() {
+    fromType = this.getExpr().getType().getUnspecifiedType() and
+    toType = this.getType().getUnspecifiedType() and
+    this.isImplicit()
+  }
+
+  Type getFromType() { result = fromType }
+
+  Type getToType() { result = toType }
+}
+
+class UsualArithmeticConversion extends RelevantConversion {
+  UsualArithmeticConversion() {
+    (
+      exists(BinaryOperation op | op.getAnOperand().getFullyConverted() = this) or
+      exists(UnaryOperation uao | uao.getOperand().getFullyConverted() = this) or
+      exists(AssignArithmeticOperation ao | ao.getAnOperand().getFullyConverted() = this)
+    )
+  }
+}
+
+class IntegerPromotion extends RelevantConversion {
+  IntegerPromotion() {
+    // Only consider cases where the integer promotion is the last conversion applied
+    exists(Expr e | e.getFullyConverted() = this) and
+    // Integer promotion occurs where the from type is smaller than int
+    fromType.getRealSize() < any(IntType i).(NumericType).getRealSize() and
+    // To type is bigger than or equal to int
+    toType.getRealSize() >= any(IntType i).(NumericType).getRealSize() and
+    fromType.getTypeCategory() = Integral() and
+    toType.getTypeCategory() = Integral()
+  }
+}
+
+from Expr e, RelevantConversion c, NumericType fromType, NumericType toType, string changeType
+where
+  not isExcluded(e, ConversionsPackage::noSignednessChangeFromPromotionQuery()) and
+  c = e.getConversion() and
+  fromType = c.getFromType() and
+  toType = c.getToType() and
+  (
+    fromType.getSignedness() != toType.getSignedness() and changeType = "signedness"
+    or
+    fromType.getTypeCategory() != toType.getTypeCategory() and changeType = "type category"
+  ) and
+  // Ignore crement operations
+  not exists(CrementOperation cop | cop.getAnOperand() = e) and
+  // Exception 1: allow safe constant conversions
+  not (
+    e.getValue().toInt() >= 0 and
+    fromType.(IntegralType).isSigned() and
+    toType.(IntegralType).isUnsigned()
+  ) and
+  // Exception 2: allow safe conversions from integral to floating-point types
+  not (
+    e.isConstant() and
+    fromType.getTypeCategory() = Integral() and
+    toType.getTypeCategory() = FloatingPoint()
+  )
+select e,
+  "Conversion from '" + fromType.getName() + "' to '" + toType.getName() + "' changes " + changeType
+    + "."
diff --git a/cpp/misra/test/rules/RULE-7-0-5/NoSignednessChangeFromPromotion.expected b/cpp/misra/test/rules/RULE-7-0-5/NoSignednessChangeFromPromotion.expected
@@ -0,0 +1,47 @@
+| test.cpp:24:5:24:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:24:10:24:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:25:5:25:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:25:10:25:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:26:5:26:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:26:10:26:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:27:5:27:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:27:10:27:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:28:5:28:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:28:10:28:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:29:5:29:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:29:10:29:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:30:5:30:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:30:10:30:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:31:5:31:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:31:10:31:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:45:11:45:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:46:11:46:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:47:11:47:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:48:11:48:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:49:11:49:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:50:11:50:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:51:11:51:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:52:11:52:12 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:64:5:64:6 | l1 | Conversion from 'signed int' to 'unsigned int' changes signedness. |
+| test.cpp:65:5:65:6 | l1 | Conversion from 'signed int' to 'unsigned int' changes signedness. |
+| test.cpp:66:5:66:6 | l1 | Conversion from 'signed int' to 'unsigned int' changes signedness. |
+| test.cpp:67:5:67:6 | l1 | Conversion from 'signed int' to 'unsigned int' changes signedness. |
+| test.cpp:68:5:68:6 | l1 | Conversion from 'signed int' to 'unsigned int' changes signedness. |
+| test.cpp:69:5:69:6 | l1 | Conversion from 'signed int' to 'unsigned int' changes signedness. |
+| test.cpp:71:5:71:6 | l3 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:71:10:71:11 | l4 | Conversion from 'unsigned short' to 'int' changes signedness. |
+| test.cpp:72:5:72:6 | l3 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:72:10:72:11 | l4 | Conversion from 'unsigned short' to 'int' changes signedness. |
+| test.cpp:82:10:82:11 | l2 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:82:15:82:16 | l4 | Conversion from 'unsigned short' to 'int' changes signedness. |
+| test.cpp:89:5:89:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:90:5:90:6 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:100:6:100:7 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:102:6:102:7 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:104:6:104:7 | l1 | Conversion from 'unsigned char' to 'int' changes signedness. |
+| test.cpp:143:11:143:12 | l2 | Conversion from 'unsigned int' to 'float' changes signedness. |
+| test.cpp:143:11:143:12 | l2 | Conversion from 'unsigned int' to 'float' changes type category. |
+| test.cpp:144:11:144:12 | l2 | Conversion from 'unsigned int' to 'float' changes signedness. |
+| test.cpp:144:11:144:12 | l2 | Conversion from 'unsigned int' to 'float' changes type category. |
+| test.cpp:145:11:145:12 | l2 | Conversion from 'unsigned int' to 'float' changes signedness. |
+| test.cpp:145:11:145:12 | l2 | Conversion from 'unsigned int' to 'float' changes type category. |
diff --git a/cpp/misra/test/rules/RULE-7-0-5/NoSignednessChangeFromPromotion.qlref b/cpp/misra/test/rules/RULE-7-0-5/NoSignednessChangeFromPromotion.qlref
@@ -0,0 +1 @@
+rules/RULE-7-0-5/NoSignednessChangeFromPromotion.ql
diff --git a/cpp/misra/test/rules/RULE-7-0-5/test.cpp b/cpp/misra/test/rules/RULE-7-0-5/test.cpp
@@ -0,0 +1,146 @@
+#include <cstdint>
+
+// Global variables for testing
+std::uint8_t g1 = 5;
+std::uint8_t g2 = 10;
+std::uint16_t g3 = 100;
+std::uint32_t g4 = 1000;
+std::int8_t g5 = -5;
+std::int32_t g6 = -1000;
+float g7 = 3.14f;
+
+constexpr std::int32_t f1(std::int32_t i) {
+    return i * i;
+}
+
+void test_binary_arithmetic_operations() {
+    std::uint8_t l1 = 5;
+    std::uint8_t l2 = 10;
+    std::uint16_t l3 = 100;
+    std::uint32_t l4 = 1000;
+    std::int8_t l5 = -5;
+    std::int32_t l6 = -1000;
+    
+    l1 + l2;                                    // NON_COMPLIANT - u8 + u8 -> signed int
+    l1 * l2;                                    // NON_COMPLIANT - u8 * u8 -> signed int
+    l1 - l2;                                    // NON_COMPLIANT - u8 - u8 -> signed int
+    l1 / l2;                                    // NON_COMPLIANT - u8 / u8 -> signed int
+    l1 % l2;                                    // NON_COMPLIANT - u8 % u8 -> signed int
+    l1 & l2;                                    // NON_COMPLIANT - u8 & u8 -> signed int
+    l1 | l2;                                    // NON_COMPLIANT - u8 | u8 -> signed int
+    l1 ^ l2;                                    // NON_COMPLIANT - u8 ^ u8 -> signed int
+    
+    static_cast<std::uint32_t>(l1) + l2;       // COMPLIANT - l2 -> unsigned int
+    l1 + static_cast<std::uint32_t>(l2);       // COMPLIANT - l1 -> unsigned int
+    
+    l6 * l5;                                    // COMPLIANT - l5 -> signed int
+    l4 / l1;                                    // COMPLIANT - l1 -> unsigned int
+}
+
+void test_assignment_operations() {
+    std::uint8_t l1 = 5;
+    std::uint8_t l2 = 10;
+    std::uint32_t l3 = 1000;
+    
+    l1 += l2;                                   // NON_COMPLIANT - same as l1 + l2
+    l1 -= l2;                                   // NON_COMPLIANT - same as l1 - l2
+    l1 *= l2;                                   // NON_COMPLIANT - same as l1 * l2
+    l1 /= l2;                                   // NON_COMPLIANT - same as l1 / l2
+    l1 %= l2;                                   // NON_COMPLIANT - same as l1 % l2
+    l1 &= l2;                                   // NON_COMPLIANT - same as l1 & l2
+    l1 |= l2;                                   // NON_COMPLIANT - same as l1 | l2
+    l1 ^= l2;                                   // NON_COMPLIANT - same as l1 ^ l2
+    
+    l1 += static_cast<std::uint32_t>(l2);      // COMPLIANT - l1 -> unsigned int
+    l1 += l3;                                   // COMPLIANT - l1 -> unsigned int
+}
+
+void test_comparison_operations() {
+    std::int32_t l1 = -1000;
+    std::uint32_t l2 = 1000;
+    std::uint8_t l3 = 5;
+    std::uint16_t l4 = 100;
+    
+    l1 > l2;                                    // NON_COMPLIANT - l1 -> unsigned int
+    l1 < l2;                                    // NON_COMPLIANT - l1 -> unsigned int
+    l1 >= l2;                                   // NON_COMPLIANT - l1 -> unsigned int
+    l1 <= l2;                                   // NON_COMPLIANT - l1 -> unsigned int
+    l1 == l2;                                   // NON_COMPLIANT - l1 -> unsigned int
+    l1 != l2;                                   // NON_COMPLIANT - l1 -> unsigned int
+    
+    l3 > l4;                                    // NON_COMPLIANT - l3 and l4 -> signed int
+    l3 < l4;                                    // NON_COMPLIANT - l3 and l4 -> signed int
+}
+
+void test_conditional_operator() {
+    bool l1 = true;
+    std::uint8_t l2 = 5;
+    std::uint8_t l3 = 10;
+    std::uint16_t l4 = 100;
+    
+    l1 ? l2 : l3;                               // COMPLIANT - no conversion
+    l1 ? l2 : l4;                               // NON_COMPLIANT - l2 and l4 -> signed int
+}
+
+void test_shift_operations() {
+    std::uint8_t l1 = 5;
+    std::uint32_t l2 = 1000;
+    
+    l1 << 2;                                    // NON_COMPLIANT - l1 -> signed int
+    l1 >> 1;                                    // NON_COMPLIANT - l1 -> signed int
+    l2 << 2;                                    // COMPLIANT
+    l2 >> 1;                                    // COMPLIANT
+}
+
+void test_unary_operations() {
+    std::uint8_t l1 = 5;
+    std::uint32_t l2 = 1000;
+    std::int8_t l3 = -5;
+    
+    ~l1;                                        // NON_COMPLIANT - l1 -> signed int
+    ~l2;                                        // COMPLIANT
+    -l1;                                        // NON_COMPLIANT - l1 -> signed int
+    -l3;                                        // COMPLIANT - l3 is signed
+    +l1;                                        // NON_COMPLIANT - l1 -> signed int
+}
+
+void test_increment_decrement() {
+    std::uint8_t l1 = 5;
+    std::uint16_t l2 = 100;
+    
+    l1++;                                       // COMPLIANT - rule does not apply
+    ++l1;                                       // COMPLIANT - rule does not apply
+    l1--;                                       // COMPLIANT - rule does not apply
+    --l1;                                       // COMPLIANT - rule does not apply
+    l2++;                                       // COMPLIANT - rule does not apply
+    ++l2;                                       // COMPLIANT - rule does not apply
+}
+
+void test_array_subscript() {
+    int l1[10];
+    std::uint8_t l2 = 5;
+    
+    l1[l2];                                     // COMPLIANT - rule does not apply
+}
+
+void test_exception_compile_time_constants() {
+    std::uint32_t l1 = 1000;
+    float l2 = 3.14f;
+    std::int32_t l3 = 5;
+    
+    l1 - 1;                                     // COMPLIANT - exception #1
+    l1 + 42;                                    // COMPLIANT - exception #1
+    l2 += 1;                                    // COMPLIANT - exception #2
+    l2 += 0x10001;                              // COMPLIANT - exception #2
+    l3 + f1(10);                                // COMPLIANT - exception #1
+    l2 + f1(10);                                // COMPLIANT - exception #2
+}
+
+void test_floating_point_conversions() {
+    float l1;
+    std::uint32_t l2;
+    
+    l1 += l2;                                   // NON_COMPLIANT - l2 -> floating
+    l1 *= l2;                                   // NON_COMPLIANT - l2 -> floating
+    l1 /= l2;                                   // NON_COMPLIANT - l2 -> floating
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+rules/RULE-7-0-5/NoSignednessChangeFromPromotion.ql`