Errors during floating-point operations are often neglected by programmers who instead focus on validating operands before an operation. Errors that occur during floating-point operations are admittedly difficult to determine and diagnose, but the benefits of doing so often outweigh the costs. This recommendation suggests ways to capture errors during floating-point operations.
The following code exhibits undefined behavior:
On most implementations, integer division by zero is a terminal error, commonly printing a diagnostic message and aborting the program:
Floating-point division by zero also results in undefined behavior, although most implementations do not treat it as a terminal error. If additional precautions are not taken, it results in a silent error.
The most portable way to determine if a floating-point exceptional condition has occurred is to use the floating-point exception facilities provided by C in
However, the C floating-point exception functions are not without problems. The following caveats exist regarding the interaction between floating-point exceptions and conversions:
- Conversion from floating-point to integer may cause an "invalid" floating-point exception. If this occurs, the value of that integer is undefined and should not be used.
- Most implementations fail to raise "invalid" for conversions from any negative or "large" positive floating-point values to unsigned integer types or to
signed char. (See tflt2int.c.)
- When a noninteger floating-point value is converted to an integer, the "inexact" floating-point exception is raised.
For information regarding floating-point number conversions, see FLP34-C. Ensure that floating-point conversions are within range of the new type.
The C Standard does not require all implementations to support floating-point exceptions. Each exception macro in
fenv.h is defined if, and only if, the corresponding exception is supported. Only implementations that use IEC 60559 (formerly IEEE-754) floating-point arithmetic are required to support all five exceptions defined by C (see the C Standard, subclause 7.6.2 [ISO/IEC 9899:2011]). Nevertheless, these functions are the most portable solution for handling floating-point exceptions.
A less portable but potentially more secure solution is to use the capabilities provided by the underlying implementation. If this approach is taken, the caveats of that system must be well understood. The following table provides a starting point for some common operating systems:
How to Handle Floating-Point Errors
Use the C floating-point exception functions
Use either the C floating-point exception functions or structured exception handling through
Noncompliant Code Example
In this noncompliant code example, floating-point operations are performed without checking for errors. Note that range checking has been intentionally omitted because the intent is to detect errors following the floating-point operation.
However, exceptional conditions (as indicated by the comments) occur that may lead to unexpected arithmetic results.
Compliant Solution (C)
This compliant solution uses C Standard functions to handle floating-point errors:
Compliant Solution (Windows)
Microsoft Visual Studio 2008 and earlier versions do not support C functions to handle floating-point errors. Windows provides an alternative method using
Compliant Solution (Windows SEH)
Microsoft Visual Studio 2008 also uses structured exception handling (SEH) to handle floating-point operations. SEH provides more information about the error and allows the programmer to change the results of the floating-point operation that caused the error condition.
Undetected floating-point errors may result in lower program efficiency, inaccurate results, or software vulnerabilities. Most processors stall for a significant duration when an operation incurs a NaN (not a number) value.
Could detect violations of this rule by ensuring that floating-point operations are surrounded by
|LDRA tool suite|
|43 D||Partially implemented|
Avoid division by zero
|Parasoft Insure++||Runtime analysis|
736, 9120, 9227
|Polyspace Bug Finder|
Rec. partially covered.
Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.
|SEI CERT C++ Coding Standard||VOID FLP03-CPP. Detect and handle floating point errors|
|MITRE CWE||CWE-369, Divide by zero|
|[IEEE Std 1003.1:2013]||XBD, Headers, |
|[ISO/IEC 9899:2011]||Subclause 7.6.2, "Floating-Point Exceptions"|