C’s integer promotion rules silently convert signed values to unsigned during mixed-type operations, producing results that contradict the developer’s intent. The expression 0u > -1 evaluates to false because -1 is converted to 4294967295 before the comparison. This single rule - codified in C99 section 6.3.1.8 - is responsible for an entire class of bugs that compile without errors and pass casual code review.
By William Murray, Founder of SpeyTech - deterministic computing for safety-critical systems. Inverness, Scottish Highlands.
This article explains the complete integer promotion hierarchy, demonstrates six patterns where implicit conversions create bugs, and provides the compiler flags and coding practices that make these conversions visible.
The Contradiction That Starts It All
Two expressions. One character difference. Opposite results.
0 > -1 // evaluates to 1 (true) - both operands are int
0u > -1 // evaluates to 0 (false) - -1 becomes 4294967295uThe first comparison works as expected: zero is greater than negative one. The second comparison adds a single u suffix, making the left operand unsigned int. The compiler now applies the usual arithmetic conversions from C99 section 6.3.1.8: when a signed int meets an unsigned int of the same conversion rank, the signed value converts to unsigned. The two’s complement representation of -1 is all ones. Reinterpreted as unsigned on a 32-bit system, that value is 4294967295 - UINT_MAX. The comparison becomes 0u > 4294967295u, which is false.
No warning is emitted by default. The code compiles cleanly. The bug is invisible without -Wsign-compare.
How C’s Integer Promotion Rules Work
Integer promotion is the implicit conversion of types narrower than int to int (or unsigned int) before any arithmetic operation.
C’s type conversion happens in two stages, both invisible in the source code.
Stage 1: Integer promotions. Any type with a conversion rank lower than int - including char, short, int8_t, uint8_t, int16_t, and uint16_t - is promoted to int before any arithmetic or comparison. If all values of the original type fit in an int, the promotion is to int. Otherwise, it is to unsigned int. On any platform where int is 32 bits, every sub-int type promotes to signed int.
Stage 2: Usual arithmetic conversions. When two operands have different types after integer promotion, C applies a second conversion to find a common type. The rules, specified in C99 section 6.3.1.8, follow a hierarchy based on conversion rank:
- If either operand is
long long, the other converts tolong long(signed or unsigned, depending on the next rules). - If either operand is
long, the other converts tolong. - If either operand is
unsigned int, the other converts tounsigned int.
The critical rule is number 3. When a signed int meets an unsigned int, the signed value is converted to unsigned. The conversion is defined by C99 section 6.3.1.3: the value is reduced modulo UINT_MAX + 1. For -1, that means (-1) mod 4294967296 = 4294967295.
The signed value does not become “unsigned negative one.” It becomes a large positive number. This is not a bug in the compiler. It is the language specification working exactly as written.
Six Patterns That Create Bugs
Pattern 1: Signed/Unsigned Comparison
unsigned int count = 10;
int index = -1;
if (index < count) {
// Developer expects: true (-1 < 10)
// Actual: false (4294967295 > 10)
process(index);
}The developer intends to guard against negative indices. The guard fails because -1 converts to 4294967295u before the comparison. The process() call never executes for the one case it was designed to catch.
Fix: Cast explicitly, or use matching types.
if (index < 0 || (unsigned int)index < count) {
process(index);
}Pattern 2: strlen() Against a Negative Value
if (strlen(s) > -1) {
// Developer expects: always true (length is non-negative)
// Actual: always false
handle(s);
}strlen() returns size_t, which is unsigned long on 64-bit platforms. The literal -1 has type int. Under the usual arithmetic conversions, -1 converts to SIZE_MAX (18446744073709551615 on a 64-bit system). No string can have a length exceeding SIZE_MAX, so the comparison is always false.
Fix: The comparison is logically unnecessary - strlen() already returns an unsigned value that is always non-negative. If a minimum-length check is the intent, compare against the actual threshold:
if (strlen(s) > 0) {
handle(s);
}Pattern 3: Narrowing Assignment
uint8_t sensor_reading = 256; // becomes 0: 256 mod 256 = 0
int16_t temperature = 40000; // becomes -25536: wraps past INT16_MAXWhen a value is assigned to a narrower type, the high bits are discarded. For unsigned targets, the result is the value modulo 2^N where N is the bit width. For signed targets, the result is implementation-defined in C99 (C23 defines it as two’s complement). On a system using two’s complement, 40000 stored in an int16_t wraps to -25536.
A sensor returning 256 reads as 0 after this assignment. A temperature of 40000 (perhaps in hundredths of a degree) becomes negative. Both compile without error.
Fix: Validate range before narrowing, or use appropriately-sized types.
int raw = read_sensor();
if (raw < 0 || raw > UINT8_MAX) {
report_error(raw);
return;
}
uint8_t sensor_reading = (uint8_t)raw;Pattern 4: printf Format Mismatch
unsigned int x = 4294967295u;
printf("%d\n", x); // prints -1The %d format specifier tells printf to interpret the argument as a signed int. The bit pattern of 4294967295u is identical to -1 in two’s complement. The compiler may warn, but the behaviour is undefined per C99 section 7.19.6.1 - the format specifier does not match the argument type.
Fix: Match the format specifier to the type.
printf("%u\n", x); // prints 4294967295Pattern 5: Bitwise Shift on Signed Types
int x = -1;
int result = x >> 1; // implementation-definedRight-shifting a negative signed integer is implementation-defined in C99 (section 6.5.7). The compiler may perform an arithmetic shift (preserving the sign bit, giving -1) or a logical shift (filling with zeros, giving 2147483647). GCC performs arithmetic shifts on x86, but the C standard does not require this. Code that depends on arithmetic shift behaviour is not portable.
Fix: Use unsigned types for bitwise operations.
unsigned int x = 0xFFFFFFFFu;
unsigned int result = x >> 1; // defined: 0x7FFFFFFFPattern 6: Ternary Operator Type Coercion
int a = -1;
unsigned int b = 1;
unsigned int result = (condition) ? a : b;The ternary operator applies the usual arithmetic conversions to determine the common type of its second and third operands. Since b is unsigned int, a converts to unsigned int before the selection. If condition is true, result is 4294967295u - not -1. The conversion happens regardless of which branch is taken. The common type is determined at compile time, and both operands are converted to it.
Fix: Ensure both operands have the same type, or cast explicitly.
int result = (condition) ? a : (int)b; // if int is the intended typeWhy the Rules Exist
C’s integer promotion rules are not arbitrary. They reflect hardware constraints from the 1970s and a backward-compatibility chain that stretches across five decades.
The PDP-11 and Word-Sized Arithmetic
The PDP-11, the machine C was designed for, performed arithmetic in 16-bit words. Operations on char (8-bit) required promotion to the machine’s native word size before the ALU could process them. Integer promotion codified this hardware reality into the language: sub-word types promote to int because the hardware could not operate on them directly.
Value-Preserving vs Unsigned-Preserving
Early C (K&R) used “unsigned-preserving” rules: if either operand was unsigned, the result was unsigned. This was simple but produced surprising results when mixing signed and unsigned types of different widths. C89 adopted “value-preserving” rules instead: a narrower unsigned type promotes to signed int if int can represent all its values. This reduced some surprises for uint16_t on 32-bit platforms but did not eliminate the core problem of same-rank signed/unsigned mixing.
Why C99 Did Not Fix It
The signed-to-unsigned conversion rule for same-rank operands has survived every revision of the C standard because changing it would break existing code. Billions of lines of C depend on the current conversion behaviour. Some code intentionally exploits unsigned wraparound for hash functions, checksums, and bit manipulation. Altering the conversion rules would silently change the semantics of that code - the same class of silent breakage the rules themselves cause. Backward compatibility is load-bearing in C. The committee chose a known set of problems over an unknown set of regressions.
What Modern Languages Learned
Each language that followed C made a deliberate choice about implicit numeric conversions, and each paid a different cost.
Rust requires explicit conversion with the as keyword. let x: u32 = y as u32; makes every conversion visible in the source. The trade-off is verbosity - numeric code in Rust contains conversion syntax that does not appear in C. The benefit is that no conversion happens without the developer’s knowledge.
Go prohibits all implicit numeric conversions. Adding an int32 to an int64 requires an explicit cast. This eliminates an entire class of promotion bugs at the cost of requiring conversion boilerplate in arithmetic-heavy code.
Swift enforces strict type safety with no implicit promotion between integer types. Int8 and Int16 are distinct types that cannot be mixed without explicit initialisation. The compiler rejects mixed-type arithmetic at compile time rather than converting silently.
Each of these languages made implicit conversions impossible and explicit conversions verbose. The result is that type promotion bugs do not exist in these languages. The cost is that developers write more conversion syntax. C chose the opposite trade-off: less syntax, more implicit behaviour, and a class of bugs that has persisted for fifty years.
Compiler Flags That Catch Type Promotion Bugs
GCC and Clang provide flags that make implicit conversions visible. The compiler already detects these conversions internally - the flags control whether it reports them.
-Wsign-compare warns when a comparison has operands of different signedness. This catches Pattern 1 and Pattern 2 directly. It is included in -Wall.
-Wconversion warns on implicit conversions that may change a value, including narrowing conversions. This catches Pattern 3. It is not included in -Wall or -Wextra and must be enabled explicitly.
-Wsign-conversion warns specifically on implicit conversions that change signedness. This catches cases where a signed value is assigned to an unsigned variable or vice versa, even when the value is not changed.
-Wformat warns on printf format mismatches. This catches Pattern 4. It is included in -Wall.
The following table summarises which flags catch which patterns:
| Flag | Pattern 1 | Pattern 2 | Pattern 3 | Pattern 4 | Pattern 5 | Pattern 6 |
|---|---|---|---|---|---|---|
-Wsign-compare | Yes | Yes | - | - | - | Yes |
-Wconversion | Yes | Yes | Yes | - | - | Yes |
-Wsign-conversion | Yes | Yes | Yes | - | - | Yes |
-Wformat | - | - | - | Yes | - | - |
-Wall | Yes | Yes | - | Yes | - | Yes |
-Wextra | Yes | Yes | - | Yes | - | Yes |
The recommended baseline for any C project is:
-Wall -Wextra -Wpedantic -Werror-Werror promotes warnings to errors, preventing code with implicit conversions from compiling. Every SpeyTech project uses this baseline. For safety-critical code, add -Wconversion -Wsign-conversion to catch narrowing and sign-changing conversions that -Wall misses.
The Safety-Critical Connection
Implicit type conversions are not just a code quality concern. In safety-critical systems, they are an audit liability and a certification obstacle.
MISRA C Rule 10.4 requires that both operands of an arithmetic operation have the same essential type category. Mixing a signed integer with an unsigned integer violates this rule. MISRA C Rule 10.1 further restricts which essential types are appropriate for specific operations - bitwise operations on signed types, for example, are prohibited.
In DO-178C-governed aerospace software, implicit type conversions are a common audit finding. Certification requires demonstrating that every operation produces the intended result. An implicit conversion that changes a value’s magnitude or sign is a gap in that demonstration. Auditors flag mixed-type comparisons because the developer’s intent cannot be determined from the source code alone.
Fixed-point arithmetic addresses this problem by construction. Q16.16 fixed-point uses int32_t exclusively for all arithmetic. There are no mixed-type operations because there is only one type. Multiplication uses an intermediate int64_t, but the widening is explicit and controlled. The absence of implicit conversions is not a side effect - it is a design property that makes the arithmetic auditable. The fixed-point-fundamentals course covers this approach in detail.
Integer promotion bugs in safety-critical systems are not theoretical. A sensor reading that wraps from 256 to 0 due to a narrowing assignment (Pattern 3) produces incorrect control outputs. A bounds check that fails due to signed/unsigned mismatch (Pattern 1) allows out-of-range access. These are the failure modes that MISRA and DO-178C exist to prevent.
Frequently Asked Questions
What is integer promotion in C?
Integer promotion is the implicit conversion of types narrower than int to int before arithmetic. C99 section 6.3.1.1 specifies that char, short, and their sized variants (int8_t, uint16_t, etc.) promote to int if int can represent all values of the original type. This promotion is invisible in the source code and occurs before any operator is applied.
How do I prevent signed/unsigned comparison bugs?
Enable -Wsign-compare (included in -Wall) and -Werror to make the compiler reject mixed-signedness comparisons. When a comparison between signed and unsigned types is intentional, add an explicit cast and a comment explaining why the conversion is safe. Prefer matching types in function signatures and variable declarations to avoid the comparison arising in the first place.
Why does -1 become 4294967295 when converted to unsigned int?
C99 section 6.3.1.3 defines unsigned conversion as reduction modulo UINT_MAX + 1. On a 32-bit system, UINT_MAX is 4294967295, so UINT_MAX + 1 is 4294967296. The value -1 mod 4294967296 equals 4294967295. This is not a reinterpretation of bits - it is a defined arithmetic operation, though on two’s complement hardware the bit pattern happens to be the same.
Why doesn’t the C standard fix implicit type promotion?
Backward compatibility prevents changes to the conversion rules. Billions of lines of existing C code depend on the current behaviour, including code that intentionally uses unsigned wraparound for hash functions, checksums, and modular arithmetic. Changing the rules would silently alter the semantics of that code, trading one class of silent bugs for another.
What are the limitations of compiler warnings for type promotion?
Compiler warnings catch many but not all promotion-related bugs. -Wconversion and -Wsign-conversion are not included in -Wall, so projects using only -Wall miss narrowing conversions. Warnings also cannot distinguish between intentional and accidental conversions - a legitimate use of unsigned wraparound triggers the same warning as a bug. In codebases with many legacy warnings, developers may disable conversion warnings entirely, removing the safety net.
Conclusion
C’s integer promotion rules silently convert negative values to large unsigned numbers, invalidating comparisons and bounds checks in compiled code. The trade-off for catching these bugs at compile time is a stricter warning configuration and more explicit type management in source code. As with any architectural approach, suitability depends on system requirements, risk classification, and regulatory context.
The c-from-scratch course covers integer promotion, type conversion, and related C fundamentals with compiler-verified examples throughout. The companion book, “C From Scratch: Learn Safety-Critical C the Right Way,” is available on Leanpub.