How to properly do negative value cast to an unsigned type in C?

I want to store a register value and do the bitwise NOT operator like below

typedef union TEST_REG {
  uint32_t                         u32Register;
  uint8_t                          Byte[4];
  uint16_t                         hword[2];
} tst_reg;

#define TEST_REGISTER              ((volatile tst_reg*) 0x7023100CUL) // Register

Below is a sample code to store the value

#define CHECK_FLAG 					(0x00000004)
TEST_REGISTER->u32Register &= (uint32_t)(~(CHECK_FLAG));

But when I perform the TEST_REGISTER->u32Register &= (uint32_t)(~(CHECK_FLAG)); code, QAC is throwing a warning like

Constant: Negative value cast to an unsigned type

I understood that if we do a NOT (~) operator the Hexa values will change to negative number.

So I would like to know how to properly do the negative value cast to an unsigned type ? Any suggestions ?

> But when I perform the TEST_REGISTER->u32Register &=
> (uint32)(~(CHECK_FLAG)); code, QAC is throwing a warning like
>
> Constant: Negative value cast to an unsigned type

In the first place, C has no objection to converting negative integer values to unsigned types. The behavior is well-defined. It is MISRA that objects. In fact, MISRA fundamentally objects to applying the ~ to an expression of signed integer type, and it objects to converting a composite expression of signed integer type to a different "essential type category", such as unsigned integer. I'm not sure exactly where QAC is coming from, but MISRA doesn't care whether the value of the expression being converted is actually negative.

The thing to do is to start with an unsigned integer in the first place. You can do that by suffixing your constant with u or U: 0x00000004u. Alternatively, stdint.h contains macros for writing constants of explicit-width types, and by using the appropriate one of those, you can solve the signedness issue and avoid a cast:

#define CHECK_FLAG                  (UINT32_C(0x00000004))
TEST_REGISTER->u32Register &= ~CHECK_FLAG;

Cast before using the ~ operator, or define CHECK_FLAG as a uint32 with a cast or by adding 'u' to the literal to specify it is an unsigned literal.

~((uint32)CHECK_FLAG)

or

#define CHECK_FLAG ((uint32)0x00000004)
#define CHECK_FLAG (0x00000004u)

See this page: http://port70.net/~nsz/c/c11/n1570.html#6.4.4.1 for the different suffixes in C.

A literal without a suffix is always interpreted as an int. So let's take a look at what happens when you write:

(uint32)(~(CHECK_FLAG))

CHECK_FLAG, which is the literal 4 and therefore behaves as a signed int when inverting the bits, becomes a negative value as a result of the bit inversion.

(uint32)(-5)

Now you're casting a negative value to an unsigned type, which the compiler warns you about.

If you cast to uint32 to before you invert (or use an unsigned literal to begin with), then the inversion does not result in a negative value because the variable is already unsigned when you are inverting the bits, and unsigned values cannot become negative.

> How to properly do negative value ...

With masking, best to use unsigned constants (there are no negative values then). The () are not needed, but not harmful either.

Typically a cast indicates weak code.

// #define CHECK_FLAG                  (0x00000004)
#define CHECK_FLAG                  0x00000004U
// TEST_REGISTER->u32Register &= (uint32)(~(CHECK_FLAG));
TEST_REGISTER->u32Register &= ~CHECK_FLAG;

Your MISRA checker should already give a warning at #define CHECK_FLAG (0x00000004). This needs to have a U/u suffix to be MISRA compliant and that's the actual problem here.

Some other things of note:

• The parenthesis around an integer constant fills no purpose (but could be problematic in case of using this one together with other macros.)

• Adding a bunch of 0000.... in front of a hex number fills no purpose but to confuse the programmer. C is kind of broken/cheeky when it comes to hex integer constants. Assuming 32 bit system then 0x00000004 is of type int, 0x4 is of type int, but 0x80000000 is of type unsigned int and 0x100000000 is of type long or long long.

  Very easy to write subtle bugs because of this. As some RL anecdote I once took over a broken project for an 8-bitter with 16 bit int where they had made a habit of typing out zeroes just like this, fooling themselves thinking they were getting 32 bit numbers. While in fact the project actually contained a mix of 16 bit int, 16 bit unsigned int and 32 bit long and this was one of the main reasons why the entire program was broken.

Therefore the correct code should be:

#define CHECK_FLAG 0x4u
...
TEST_REGISTER->u32Register &= ~CHECK_FLAG;

The parenthesis spam makes no difference for MISRA compliance in this case - it's just bloat so I removed it. The cast is no longer necessary either since all operands of the expression are unsigned, "essentially unsigned" as MISRA calls it, and then no casts are required.