Contenuto principale

MISRA C++:2023 Rule 4.1.3

There shall be no occurrence of undefined or critical unspecified behaviour

Since R2024b

Description

Rule Definition

There shall be no occurrence of undefined or critical unspecified behaviour. 1

Rationale

C++ code that contains instances of undefined or critical unspecified behavior can produce unexpected or incorrect results. Such code can behave differently in different implementations. Issues caused by undefined behavior in the code can be difficult to analyze because the compiler might optimize the code assuming that undefined behavior does not occur. In addition, these behaviors can be difficult to detect during testing because the code might behave as expected for a given set of test data.

Note

Many MISRA C++:2023 rules address specific undefined or critical unspecified behaviors. This rule applies to any undefined or critical unspecified behavior that is not addressed in any other rule.

Polyspace Implementation

Polyspace® reports violations on these instances of undefined or critical unspecified behavior:

  • Undefined uses of offsetof:

    • Use of offsetof on bit fields

    • Use of offsetof when the second argument is not a structure field of the first argument

  • Undefined uses of a shift operator:

    • Use of a negative operand on the right side of a shift operator

    • Use of a shift operator with a right operand that is at least as large as the bit size of the data type of the left operand

  • Occurrences of integer constant overflow:

    • Assigning a compile-time integer constant to a signed integer variable whose data type cannot accommodate the value.

    • Use of an enumeration value that cannot be accommodated by the underlying type of the enumeration, when the underlying type is signed.

    • Performing a binary operation involving two integer constants that results in an overflow. That is, the result is a value outside the range allowed by the data type that the operation uses. A binary operation with integer constants uses the signed int data type unless you use modifiers such as u or L.

  • Undefined uses of the defined operator:

    • Use of defined without an identifier

    • Use of a macro whose expansion contains the defined operator

  • Use of an array of incomplete types

  • Use of a function-like macro that provides an incorrect number of arguments

Troubleshooting

If you expect a rule violation but Polyspace does not report it, see Diagnose Why Coding Standard Violations Do Not Appear as Expected.

Examples

expand all

#include <cstdint>

#define X 1

#define DEFINED defined
#if DEFINED(X) //Noncompliant
#endif

void test(void) {
  int16_t i = static_cast<int16_t>(0xFFFFFF); //Noncompliant

  i = i >> 17; //Noncompliant
}

In this example, these code constructs violate this rule because they result in undefined or critical unspecified behavior:

  • Expansion of the DEFINED macro contains the defined operator.

  • Casting the integer constant 0xFFFFFF to a 16-bit signed integer type causes an overflow.

  • Right shifting the 16-bit variable i by 17 bits is undefined.

Check Information

Group: General principles
Category: Required

Version History

Introduced in R2024b


1 All MISRA coding rules and directives are © Copyright The MISRA Consortium Limited 2021.

The MISRA coding standards referenced in the Polyspace Bug Finder™ documentation are from the following MISRA standards:

  • MISRA C:2004

  • MISRA C:2012

  • MISRA C:2023

  • MISRA C++:2008

  • MISRA C++:2023

MISRA and MISRA C are registered trademarks of The MISRA Consortium Limited 2021.