xref: /src/tests/usr.bin/xlint/lint1/msg_117.c

/*	$NetBSD: msg_117.c,v 1.15 2025/09/14 11:14:00 rillig Exp $	*/
# 3 "msg_117.c"

// Test for message: bitwise '%s' on signed '%s' possibly nonportable [117]

/* lint1-extra-flags: -p -X 351 */

signed char s8;
unsigned char u8;
short s16;
unsigned short u16;
int s32;
unsigned u32;
long long s64;
unsigned long long u64;

// Shifting a signed integer left invokes undefined behavior if a 1 is shifted
// to the sign bit or beyond. At runtime, KUBSAN performs this check.
void
shl(void)
{
	s32 = s8 << 0;
	s32 = s8 << 23;
	s32 = s8 << 24;
	s32 = s8 << 31;
	/* expect+1: warning: shift amount 32 equals bit-size of 'int promoted from signed char' [267] */
	s32 = s8 << 32;
	/* expect+1: warning: shift amount 32 equals bit-size of 'int promoted from signed char' [267] */
	s64 = s8 << 32;

	/*
	 * When shifting 'uint8_t', it first gets promoted to 'int', which is
	 * then subject to the overflow check. To prevent this, first cast the
	 * 'uint8_t' to a suitable larger unsigned integer type.
	 */
	u32 = u8 << 0;
	u32 = u8 << 23;
	u32 = u8 << 24;
	u32 = u8 << 31;
	/* expect+1: warning: shift amount 32 equals bit-size of 'int promoted from unsigned char' [267] */
	u32 = u8 << 32;
	/* expect+1: warning: shift amount 32 equals bit-size of 'int promoted from unsigned char' [267] */
	u64 = u8 << 32;

	u32 = s32 << 0;
	u32 = s32 << 23;
	u32 = s32 << 24;
	u32 = s32 << 31;
	/* expect+1: warning: shift amount 32 equals bit-size of 'int' [267] */
	u32 = s32 << 32;
	/* expect+1: warning: shift amount 32 equals bit-size of 'int' [267] */
	u64 = s32 << 32;

	u32 = u32 << 0;
	u32 = u32 << 23;
	u32 = u32 << 24;
	u32 = u32 << 31;
	/* expect+1: warning: shift amount 32 equals bit-size of 'unsigned int' [267] */
	u32 = u32 << 32;
	/* expect+1: warning: shift amount 32 equals bit-size of 'unsigned int' [267] */
	u64 = u32 << 32;
}

int
shr(int a, int b)
{
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	return a >> b;
}

int
shr_lhs_constant_positive(int a)
{
	return 0x1234 >> a;
}

int
shr_lhs_constant_negative(int a)
{
	/* expect+1: warning: bitwise '>>' on signed 'int' nonportable [120] */
	return -0x1234 >> a;
}

int
shr_rhs_constant_positive(int a)
{
	/* expect+2: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	/* expect+1: warning: shift amount 4660 is greater than bit-size 32 of 'int' [122] */
	return a >> 0x1234;
}

int
shr_rhs_constant_negative(int a)
{
	/* expect+2: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	/* expect+1: warning: negative shift [121] */
	return a >> -0x1234;
}

unsigned int
shr_unsigned_char(unsigned char uc)
{
	/*
	 * Even though 'uc' is promoted to 'int', it cannot be negative.
	 * Before tree.c 1.335 from 2021-08-15, lint wrongly warned that
	 * 'uc >> 4' might be a bitwise '>>' on signed value.
	 */
	return uc >> 4;
}

unsigned char
shr_unsigned_char_promoted_signed(unsigned char bit)
{
	/*
	 * The possible values for 'bit' range from 0 to 255.  Subtracting 1
	 * from 0 results in a negative expression value.
	 */
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	return (unsigned char)((bit - 1) >> 5);
}

unsigned char
shr_unsigned_char_promoted_unsigned(unsigned char bit)
{
	/*
	 * To prevent the above warning, the intermediate expression must be
	 * cast to 'unsigned char'.
	 */
	return (unsigned char)((unsigned char)(bit - 1) >> 5);
}

/*
 * C90 3.3.7, C99 6.5.7 and C11 6.5.7 all say the same: If E1 has a signed
 * type and a negative value, the resulting value is implementation-defined.
 *
 * These standards don't guarantee anything about the lower bits of the
 * resulting value, which are generally independent of whether the shift is
 * performed in signed arithmetics or in unsigned arithmetics.  The C99
 * rationale talks about signed shifts, but does not provide any guarantee
 * either.  It merely suggests that platforms are free to use unsigned shifts
 * even if the operand type is signed.
 *
 * K&R provides more guarantees by saying: Right shifting a signed quantity
 * will fill with sign bits ("arithmetic shift") on some machines such as the
 * PDP-11, and with 0-bits ("logical shift") on others.
 *
 * https://gcc.gnu.org/onlinedocs/gcc/Integers-implementation.html says:
 * Signed '>>' acts on negative numbers by sign extension.
 *
 * This means that at least in GCC mode, lint may decide to not warn about
 * these cases.
 */
void
shr_signed_ignoring_high_bits(int x)
{

	/*
	 * All sane platforms should define that 'x >> 0 == x', even if x is
	 * negative.
	 */
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	if (x >> 0 != 0)
		return;

	/*
	 * If x is negative, x >> 1 is nonzero, no matter whether the shift
	 * is arithmetic or logical.
	 */
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	if (x >> 1 != 0)
		return;

	/*
	 * The highest bit may be 0 or 1, the others should be well-defined
	 * on all sane platforms, making it irrelevant whether the actual
	 * shift operation is arithmetic or logical.
	 */
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	if (((x >> 1) & 1) != 0)
		return;

	/*
	 * The result of this expression is the same with arithmetic and
	 * logical shifts since the filled bits are masked out.
	 */
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	if (((x >> 31) & 1) != 0)
		return;

	/*
	 * In this case, arithmetic shift results in 2 while logical shift
	 * results in 0.  This difference is what this warning is about.
	 */
	/* expect+1: warning: bitwise '>>' on signed 'int' possibly nonportable [117] */
	if (((x >> 31) & 2) != 0)
		return;

	/*
	 * The result of '&' is guaranteed to be positive, so don't warn.
	 * Code like this typically occurs in hexdump functions.
	 */
	if ((x & 0xf0) >> 4 != 0)
		return;
}