V2531. MISRA. Expression of essential type 'foo' should not be explicitly cast to essential type 'bar'.


This diagnostic rule is based on the software development guidelines developed by MISRA (Motor Industry Software Reliability Association).

This diagnostic applies only to code written in C.

A value of one essential type should not be explicitly cast to a value of another incompatible essential type. The MISRA standard introduces the essential type model, where variables can have the following types:

  • Boolean, if it operates true/false values: '_Bool';
  • signed, if operates signed integer numbers, or is an unnamed enum: 'signed char', 'signed short', 'signed int', 'signed long', 'signed long long', 'enum { .... }';
  • unsigned, if operates unsigned integer numbers: 'unsigned char', 'unsigned short', 'unsigned int', 'unsigned long', 'unsigned long long';
  • floating, if operates floating point numbers: 'float', 'double', 'long double';
  • character, if operates only characters: 'char';
  • Named enum, if operates a named set of user-specific values: 'enum name { .... };'.

This model does not include pointers.

The following table shows situations that developers should avoid:

Picture 4

Exceptions:

  • A variable of type 'enum' can be cast to an alias for that type.
  • Constant integers '0' and '1' can be cast to 'Boolean'.

Reasons for explicit type conversion are as follows:

  • to make code easier to read;
  • to change a type to use it in a subsequent arithmetic operation;
  • deliberate truncation of the value (when casting from a wider type to a narrower type, i.e. 'long' -> 'short').

For some reasons, casts from one essential type to another may be dangerous or meaningless, for example:

  • casting from 'signed'/'unsigned' integer to named 'enum' may be dangerous as the value may not fit into the range determined by the maximum size of the given 'enum' type;
  • casts from 'Boolean' to any other type are usually meaningless;
  • casts between essential 'floating' and 'character' types are also meaningless as there is no precise mapping between the two representations.

The following example will trigger the corresponding warnings:

enum A {ONE, TWO = 2};

float foo(int x, char ch)
{
    enum A a = (enum A) x;  // signed to enum, may lead to 
                            // unspecified behavior

    int y = int(x == 4);    // Meaningless cast Boolean to signed

    return float(ch) + .01; // Meaningless cast character to floating,
                            // there is no precise mapping between
                            // two representations
}

Bugs Found

Checked Projects
363
Collected Errors
13 495