Integer constants are often used as masks or specific bit values. Frequently, these constants are expressed in hexadecimal form to indicate to the programmer how the data might be represented in the machine. However, hexadecimal integer constants are frequently used in a nonportable manner.
Noncompliant Code Example
In this pedagogical noncompliant code example, the
flipbits() function complements the value stored in
x by performing a bitwise exclusive OR against a mask with all bits set to 1. For implementations where
unsigned long is represented by a 32-bit value, each bit of
x is correctly complemented.
However, on implementations where values of type
unsigned long are represented by greater than 32 bits,
mask will have leading 0s. For example, on implementations where values of type
unsigned long are 64 bits long,
mask is assigned the value
0x00000000FFFFFFFF. Consequently, only the lower-order bits of
x are complemented.
Compliant Solution (−1)
In this compliant solution, the integer constant
-1 is used to set all bits in
mask to 1. The integer constant
-1 is of type
signed int. Because
-1 cannot be represented by a variable of type
unsigned long, it is converted to a representable number according to the rule in subclause 220.127.116.11, paragraph 2, of the C Standard [ISO/IEC 9899:2011]:
[If the value can't be represented by the new type and] if the new type is unsigned, the value is converted by repeatedly adding or subtracting one more than the maximum value that can be represented in the new type until the value is in the range of the new type.
"One more than the maximum value that can be represented in the new type,"
ULONG_MAX + 1, is added to
-1, resulting in a right-side value of
ULONG_MAX. The representation of
ULONG_MAX is guaranteed to have all bits set to 1 by subclause 18.104.22.168, paragraph 1:
For unsigned integer types other than
unsigned char, the bits of the object representation shall be divided into two groups: value bits and padding bits (there need not be any of the latter). If there are N valuebits, each bit shall represent a different power of 2 between 1 and 2N − 1, so that objects of that type shall be capable of representing values from 0 to 2N − 1 using a pure binary representation; this shall be known as the value representation. The values of any padding bits are unspecified.
By the same reasoning,
-1 is suitable for setting all bits to one of any unsigned integer variable. Subclause 22.214.171.124, paragraph 3, guarantees the same results for
Values stored in unsigned bit-fields and objects of type
unsigned charshall be represented using a pure binary notation.
Noncompliant Code Example
In this noncompliant code example, a programmer attempts to set the most significant bit:
This code has the desired effect for implementations where
unsigned long has a precision of 32 bits but not for implementations where
unsigned long has a precision of 64 bits.
A portable (and safer) way of setting the high-order bit is to use a shift expression, as in this compliant solution:
Vulnerabilities are frequently introduced while porting code. A buffer overflow vulnerability may result, for example, if an incorrectly defined integer constant is used to determine the size of a buffer. It is always best to write portable code, especially when there is no performance overhead for doing so.
|Axivion Bauhaus Suite|
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
|SEI CERT C++ Coding Standard||VOID INT17-CPP. Define integer constants in an implementation-independent manner|
|[Dewhurst 2002]||Gotcha #25, "#define Literals"|
|[ISO/IEC 9899:2011]||Subclause 6.2.6, "Representations of Types"|
Subclause 126.96.36.199, "Signed and Unsigned Integers"